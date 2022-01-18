



A new bug discovered in Safari 15 allows you to track your browsing activity on any website and may reveal your identity for Google users.

The vulnerability is due to Apple’s implementation of IndexedDB, a storage API widely supported by modern browsers. And this issue affects not only Mac users, but also iPhone and iPad users. Here’s what you need to know.

Safari 15 leaks user data

IndexedDB is a JavaScript API for web browsers designed to hold large amounts of data, including files. Various web apps use IndexedDB to store data on their machines to speed things up.

IndexedDB uses what is called the same-origin policy to use security mechanisms that limit the way documents or scripts loaded from one origin interact with resources from another origin. In other words, the same-origin policy prevents one website from accessing data stored by another.

However, in Safari 15, the same-origin policy does not work properly due to a bug. This gives websites access to databases created by other sites and allows you to see your browsing habits outside the wall. In addition, bugs can even reveal your identity.

Please note, Google users

In addition, in some cases, we’ve verified that websites use unique user-specific identifiers for database names. Fingerprint JS, who first discovered this issue, explains. This means that the authenticated user can be uniquely and accurately identified.

This is because popular Google sites such as YouTube, Google Calendar, and Google Keep create databases containing authenticated Google user IDs. This ID is paired with a single Google account (your account) and can be used to retrieve user information via the Google API.

Note that these leaks do not require any specific user action, the report warns. Tabs or windows that run in the background and continuously query the IndexedDB API for available databases can learn other websites that users access in real time.

Private mode can’t help you

FingerprintJS checked Alexas’ top 1,000 websites to see how many websites are using IndexedDB. We have found more than 30 users who interact directly with the API on the home page without any special user interaction. Therefore, certain sites may scrape your data and you will not know anything about it.

According to FingerprintJS, this number is likely to be significantly higher in real-world scenarios because websites can interact with the database on subpages, after certain user actions, or in the authenticated part of the page.

Unfortunately, this bug also affects Safari private mode. However, private mode limits your browsing sessions to one tab, which significantly reduces the amount of information available on multiple sites.

See if a Safari bug affects you

You can see if a Safari bug is affecting you by visiting the FingerprintJS proof-of-concept page. With just one click, you can see what data Safari is leaking about you. It also shows all the Google user IDs that can be detected. It’s a simple demo app and it’s completely safe.

FingerprintJS reported this privacy flaw on November 28, 2021 via the WebKit bug tracker. It hasn’t been fixed yet. There is little you can do to protect yourself with Safari 15 other than completely blocking JavaScript. However, this does prevent many websites from functioning as intended. Moreover, it is not completely effective.

If you’re worried about this issue, we recommend using a different web browser until Apple publishes the fix. Also, install the Safari update as soon as it becomes available.

