Security experts have uncovered a major flaw in the latest version of Apple’s internet browser (opens in new tab) which is leaking browsing history and even some identity (opens in new tab) data saved in associated Google accounts.
According to a blog post from cybersecurity service providers FingerprintJS, the problem lies in an Apple API - IndexedDB, used to store data in Safari 15.
Safari 15 has a security measure that prevents malicious (opens in new tab) pages, opened in one tab, to read the data generated by websites opened in another tab. According to FingerprintJS, IndexedDB API in Safari 15 does not abide by this policy (called the same-origin policy), and instead - “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”
No patch yet
The researchers have also explained how the flaw can be leveraged to obtain Google account data. Google’s services (for example, YouTube) generate databases containing the unique Google User ID in their names. As these IDs are used to access public information, such as a profile picture, other sites could see it, as well.
To show how a website can learn any visitor's recent and current browsing activity, the researchers also built a demo which you can find on this link (opens in new tab). At the moment, it detects 30 affected sites, but the list is probably a lot bigger.
Right now, there doesn’t seem to be a solution to the problem. As reported by The Verge, the problem even affects Private Browsing mode on Safari, and with Apple’s third-party browser engine ban on iOS, all other browsers are affected, as well.
The flaw has been reported to the WebKit Bug Tracker in late November last year, but Apple is yet to issue an update for the browser, and remains silent on the matter.
- You might also want to check out our list of the best firewalls right now