Deutsch
Español
Français
Italiano
Nederlands
Polski
Português
Русский
Türkçe
Svenska
Chinese
MagyarUnpatched Safari 15 bug on macOS, iOS 15, and iPadOS 15 found to expose browsing history and Google account info
Safari users on macOS and iOS may be vulnerable to a serious privacy violation. A bug exists in Safari 15's implementation of IndexedDB, which enables any website to read database entries of not only its own but of other websites as well. Therefore, information such Google user ID strings can be seen by unauthorized third-parties potentially compromising one's identity.
All browsers use an IndexedDB or an indexed database to store significant amounts of data on the client's storage for quick retrieval. Each browser determines its own limits on how much space to allocate to IndexedDB and automatically deletes data as those limits near, based on defined criteria. IndexedDB is accessed via a low-level API, which is usually abstracted for a more developer-friendly API.
In Safari 15, the IndexedDB API is seen violating the "same-origin policy". Two URLs are said to have the same origin if they use the same protocol, port (if specified), and host. Same-origin is a critical security mechanism that prevents documents or scripts from one origin interacting with data or resources from other origins unless permitted via cross-origin resource sharing (CORS).
According to FingerprintJS, who first reported the issue to Apple back on November 28 itself, Safari 15 on macOS and all browsers on iOS 15 and iPadOS 15 create an empty database with the same name for all active windows and tabs each time a website interacts with IndexedDB. This means a cleverly coded website from a different "origin" can essentially scrap what the user is visiting in any open tab or windows unless a different profile is used. Thus, even information in private windows is not secure.
Websites such as Google and its services create databases that include the Google user ID for each logged-in account. A malicious website can simply trigger opening of an iframe or popup and scrap this information. Since this user ID is an identifier, it can be potentially used to retrieve the person's details such as the profile picture, for example.
The analysts at FingerprintJS have created a demo website (safarileaks.com) that shows the leak in action and works for more than 20 websites open in other tabs and windows in the same profile. If you are logged in to your Google account in the same instance, the demo site will also reveal your Google user ID.
Unfortunately, there's not much that can be done by the end-user at the moment. Blocking all JavaScript content is one workaround, but that severely hinders the browsing experience. While users on macOS can use a different browser such as Microsoft Edge or Mozilla Firefox, those on iOS have no such option since even third-party browsers are supposed to use Webkit.
Source(s)
