According to results from FingerprintJS, a browser fingerprinting and fraud detection service, a problem in Safari 15 potentially leak your browsing activities as well as some of the personal information associated with your Google account (via 9to5Mac). The flaw in Apple’s implementation of IndexedDB, an application programming interface (API) that saves data in your browser, is the source of the vulnerability.
According to FingerprintJS, IndexedDB follows the same-origin policy, which prevents one origin from interacting with data gathered by other origins — in other words, only the website that creates data has access to it. The same-origin policy, for example, prohibits a malicious webpage from accessing and interfering with your email if you open your email account in one tab and a malicious webpage in another.
Apple’s use of the IndexedDB API in Safari 15 is deemed to be in violation of the same-origin restriction, according to FingerprintJS. “A new (empty) database with the same name is produced in all other active frames, tabs, and windows within the same browser session,” according to FingerprintJS, when a website interacts with a database in Safari.
This implies that other websites can see the names of databases produced on other sites, which may include personal information about you. Sites that use your Google account, such as YouTube, Google Calendar, and Google Keep, all create databases with your unique Google User ID in the name, according to FingerprintJS. Your Google User ID gives Google access to information that is publicly available, such as your profile picture, which the Safari flaw can disclose to other websites.
If you have Safari 15 or above on your Mac, iPhone, or iPad, you may test out FingerprintJS’ proof-of-concept demo. The example illustrates how sites that exploit the browser’s IndexedDB vulnerability can scrape information from your Google User ID by using the browser’s IndexedDB vulnerability to detect the sites you have open (or recently opened). It presently recognizes 30 prominent sites impacted by the issue, including Instagram, Netflix, Twitter, and Xbox, but it is expected to affect many more.
Unfortunately, there isn’t much you can do about it, as the problem also affects Safari’s Private Browsing mode, according to FingerprintJS. On macOS, you may use a different browser, however on iOS, Apple’s third-party browser engine prohibition affects all browsers. On November 28th, FingerprintJS submitted the bug to the WebKit Bug Tracker, but Safari has yet to get an upgrade. The Verge reached out to Apple for comment but did not receive a response right away.