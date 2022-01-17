



According to a survey by FingerprintJS (via 9to5Mac), a browser fingerprinting and fraud detection service, a bug in Safari 15 could leak browsing activity and include some of the personal information attached to your Google account. It may become clear. The vulnerability is due to an issue in Apple’s implementation of IndexedDB, an application programming interface (API) that stores data in the browser.

IndexedDB adheres to the same-origin policy, as described in FingerprintJS. This policy restricts one origin from interacting with data collected by other origins and can only be accessed by the website that produces the data. For example, if you open an email account in one tab and then open a malicious web page in another tab, the same-origin policy prevents the malicious page from displaying or interfering with your email. increase.

There is not much you can do to avoid the problem

FingerprintJS discovered that the Apple application for the Indexed DB API in Safari 15 actually violates the same-origin policy. When a website interacts with Safari’s database, FingerprintJS says it creates a new (empty) database with the same name in every other active frame, tab, and window in the same browser session.

This means that other websites can see the names of other databases created by other sites. This may contain details specific to your ID. FingerprintJS uses a unique Google user ID in its name to generate a database for all sites that use Google accounts, such as YouTube, Google Calendar, and Google Keep. Your Google User ID gives Google access to public information, such as your profile picture, that may be published to other websites due to a bug in Safari.

This is a big bug. OSX allows Safari users to (temporarily) switch to another browser to prevent data leaks between origins. Apple has banned other browser engines, so iOS users don’t have that option. https://t.co/aXdhDVIjTT

FingerprintJS has created a proof-of-concept demo that you can try if your Mac, iPhone, or iPad has Safari 15 or later. The demo uses a browser IndexedDB vulnerability to identify open (or recently opened) sites and show how sites that exploit bugs can retrieve information from Google User IDs. Currently, only 30 popular sites affected by the bug, such as Instagram, Netflix, Twitter and Xbox, are detected, but more could be affected.

Unfortunately, there is not much you can do to avoid this problem. According to FingerprintJS, this bug also affects Safari’s private browsing mode. You can use different browsers on macOS, but Apple’s ban on third-party browser engines on iOS means that all browsers will be affected. FingerprintJS reported a leak to the WebKit bug tracker on November 28th, but there is no update to Safari yet. Verge contacted Apple for comment, but didn’t get an immediate reply.

