Safari 15 bug can leak your Google account info, recent browsing history
What’s even worse is that this vulnerability also affects the private mode in Safari 15.
Published:Mon, January 17, 2022 9:30am
A bug in Safari 15 can reveal your recent web browsing history and some of the information attached to your logged-in Google account. The vulnerability lies in Apple's implementation of IndexedDB, which is an application programming interface (API) that stores data on your browser, on macOS and iOS.
According to findings from FingerprintJS, IndexedDB follows the same-origin policy that restricts how documents on one origin can interact with resources from other origins. Indexed databases are associated with a specific origin. "Documents or scripts associated with different origins should never have the possibility to interact with databases associated with other origins," the blog says. Simply said, ideally, a website that generates an indexed database should be the only one to access it. For instance, if you have opened a social media account in one tab of the web browser and a malicious website on the other, the IndexedDB API should prevent the malicious website from looking into the data of your social media account.
However, in the case of Safari 15, the IndexedDB API is violating this same-origin policy in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15. FingerprintJS notes that every time a website interacts with a database, a new and empty "database with the same name is created in all other active frames, tabs, and windows within the same browser session."
This could lead other websites, even the potentially malicious ones to see the name of other databases on other sites. This indeed could give them specific details, which would help them in identifying specific users.
Furthermore, FingerprintJS says that platforms such as YouTube, Google Calendar, or Google Keep create databases that include the Google User ID. And in case a user is logged into multiple accounts, databases are created for all these accounts. Now, Google uses this Google ID to collect publicly available information associated with an account.
Safari 15's vulnerability can allow malicious websites to access all of this information, without the user taking any action. "Not only does this imply that untrusted or malicious websites can learn a user's identity, but it also allows the linking together of multiple separate accounts used by the same user," the site says. What's even worse is that this vulnerability also affects the private mode in Safari 15.
So how can you safeguard yourself?
Unfortunately, there isn't much you can do about this vulnerability as Apple is yet to release a security patch for it. The only alternative that users can try is temporarily switching to a different browser.