



A serious Safari bug disclosed in this blog post from FingerprintJS could reveal information about your recent browsing history, as well as information about your logged-in Google account.

A bug in Safari’s IndexedDB implementation on Mac and iOS means that websites can see the names of databases in any domain, not just their own domain. You can then use the database name to extract the identity from the look-up table. You can try it out in this live demo.

For example, Google Services stores an IndexedDB instance for each logged in account, and the database name corresponds to your Google user ID.

The ID is used to make API requests to Google services, so if you use the exploit described in the blog post, a malicious site will get a Google user ID and use that ID to do other things about you. You may find your personal information. The proof-of-concept demo shows the user’s profile picture.

The proof of concept only keeps a look-up table for about 30 domain names, but there’s no reason why this technique couldn’t be applied to a much larger set. Almost any website that uses the IndexedDB JavaScript API can be vulnerable to such data scraping.

The bug is that the names of all IndexedDB databases are available at any site. Access to the actual content of each database is restricted. The fix and correct behavior observed in other browsers like Chrome is that the website can only see databases created with the same domain name as itself.

All current versions of Safari on iPhone, iPad and Mac can be exploited. FingerprintJS said it reported a bug to Apple on November 28th, but it hasn’t been resolved yet.

