According to the findings of FingerprintJS, a browser fingerprinting and fraud detection service (via 9to5Mac), a bug in Safari 15 could leak your browsing activity and also reveal some personal information associated with your Google Account .

The vulnerability stems from a problem with Apple’s implementation of IndexedDB, an application programming interface (API) that stores data on your browser.

As explained by FingerprintJS, IndexedDB follows the same-origin policy, which prevents one origin from interacting with data collected on the other origin – essentially only the website that generated the data can access it. can.

For example, if you open your email account in one tab and then a malicious Web page in another, the same-origin policy prevents the malicious page from viewing and interfering with your email.

There’s not much you can do to solve the problem
FingerprintJS found that Apple’s enforcement of the IndexedDB API in Safari 15 actually violates the same-origin policy.

When a website interacts with a database in Safari, FingerprintJS indicates that “a new (empty) database with the same name has been created in all other active frames, tabs, and windows within the same session of Navigator”.

This means that other websites may see the names of other databases maintained on other sites, which may contain details specific to your identity.

FingerprintJS notes sites that use your Google account, such as YouTube, Google Calendar and Google Keep, all generate a database with your unique Google user ID in your name. Your Google user ID allows Google to access your publicly available information, such as your profile picture, which a Safari bug can expose to other websites.

FingerprintJS has created a proof-of-concept demo that you can try if you have Safari 15 and above on your Mac, iPhone or iPad. The demo uses the browser’s IndexedDB vulnerability to identify sites you have visited (or recently opened) and demonstrates how the bug obtains your Google User ID information.

It currently only detects 30 popular sites that are affected by the bug, such as Instagram, Netflix, Twitter, Xbox, but it likely affects many more.

Unfortunately, there’s not much you can do to fix the problem, as FingerprintJS says the bug also affects private browsing mode on Safari.

You can use a different browser on macOS, but Apple’s banning of third-party browser engines on iOS means all browsers are affected. FingerprintJS reported the leak to the WebKit bug tracker on November 28, but there has been no Safari update yet. Edge contacted Apple with a request for comment, but did not immediately respond.

In this case, viewing private mode in Safari 15 browser is also suspected to be affected by the vulnerability.

FingerprintJS, a browser fingerprinting and fraud detection service, found that the bug stemmed from a problem with Apple’s implementation of IndexedDB, an application programming interface (API) that stores data on your browser.

“IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. It is supported and commonly used in all major browsers,” FingerprintJS said in a statement.

The report states that more than 30 websites interact with the indexed database directly on their homepages without any additional user interaction or need to authenticate.

“We suspect this number to be significantly higher in real-world scenarios because websites may interact with the database on sub-pages, following specific user actions, or on authenticated portions of the page,” the FingerprintJS team said.