A Safari bug discovered by the anti-fraud security firm FingerprintJS can leak information about your recent browsing history and even some sensitive account details of the logged-in Google account.
Google users’ account details are currently at risk because of an unpatched Safari bug
A bug in Safari’s IndexedDB implementation on Mac, iPhone, and iPad can allow any website to track a browser’s internet activity since it can see the names of databases for any domain, not just its own. This can be used to determine a users’ identity by extracting identifying information. From FingerprintJS’ blog post:
In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.
IndexedDB is a browser API is used by browsers to hold data. For example, Goole stores as IndexedDB instance for each of your logged-in accounts. Using the exploit, a malicious site could pull your Google User ID and subsequently use that ID to find out other personal information about you.
We checked the homepages of Alexa’s Top 1000 most visited websites to understand how many websites use IndexedDB and can be uniquely identified by the databases they interact with.
The results show that more than 30 websites interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate. We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page.
All current versions of Safari on iPhone, iPad, and Mac can be exploited. FingerprintJS says they reported the bug to Apple on November 28, but there has been no fix released for it as of yet.
There is little users can do to protect themselves from this exploit. To err on the side of caution, macOS users should use a different browser as a safety measure in the meantime. This option is not available to iOS and iPadOS users. Ultimately, FingerprintJS researchers say, “the only real protection is to update your browser or OS once the issue is resolved by Apple.”
- iOS 15.2.1 and iPadOS 15.2.1 released with HomeKit denial of service bug fix
- T-Mobile clarifies iOS 15.2 bug disables iCloud Private Relay for some users in the U.S.
- REvil, the group behind MacBook Pro design leaks, is arrested by Russian authorities