A vulnerability in Apple’s Safari 15 browser could leak browsing history and expose some personal information associated with a Google account. Researchers from FingerprintJS.
The vulnerability in Safari is reportedly related to the implementation of the IndexedDB mechanism, which allows websites to store databases on the user’s device and limits the interaction of data from one source with resources from other sources. Simply put, this mechanism allows sites to interact only with the data that they themselves created. For example, if a user opens their mailbox on one tab, and a malicious page on the next tab, then IndexedDB will not allow the latter to access the data associated with the email page.
FingerprintJS researchers have found that the IndexedDB mechanism in Safari 15 violates the domain restriction rule. When a site interacts with a database stored on the user’s device within an active session in all open windows, tabs and frames, an empty copy of the database with the same name is automatically created. This means that third-party sites can access database names related to other web resources, and such databases may contain personal user data. For example, sites using a Google account, such as YouTube or Google Calendar, create databases with a unique Google user ID in the name. This identifier allows Google to access public user information, such as a profile picture, which, due to a vulnerability in Safari, may be available to other websites.
Safari users won’t be able to fix this issue on their own. Researchers at FingerprintJS reported the vulnerability via the WebKit bug tracker back on November 28, but a patch for Safari has yet to be released. Apple officials have so far refrained from commenting on this issue.
If you notice an error, select it with the mouse and press CTRL + ENTER.