A nasty Safari bug could leak your browsing data and Google Account info

A bug discovered in Safari 15 could be leaking information about the sites you visit online. Even worse, it could expose your unique Google ID and profile information.

As reported by 9to5Mac, the bug was first discovered in late November by FingerprintJS, a Chicago-based company specializing in online fraud prevention. According to an announcement published on Friday the problem stems from a system used by Safari 15 and all other major web browsers to cache browsing information on your phone, tablet, or computer.

It’s called IndexedDB and it leans heavily on today’s complex websites. Normally, information stored in IndexedDB storage can only be accessed by a web page in the same domain that created it. If Google creates it, for example, the information cached there can only be accessed by another Google web page.

This “same origin” policy is designed to protect you from malicious sites that may attempt to steal information from your browser.

What FingerprintJS discovered is that the current version of WebKit, the browser engine that powers Safari on the Mac as well as all browsers on iOS and iPadOS, could be tricked into skipping same-origin checking.

What’s wrong with that? Fingerprint JS says that “it allows arbitrary websites to learn which websites [you visit] in different tabs or windows. ” Besides, “[some] websites use user-specific unique identifiers in database names [which] means authenticated users can be uniquely and accurately identified.

To demonstrate the bug, FingerprintJS created a website at safarileaks.com. Keep using the latest version of Safari (or another Webkit-powered browser on your iPhone or iPad) and you’ll see what kind of information IndexedDB is leaking.

You can even see your Google profile picture, which can be searched using an ID attached to IndexedDB caches on some sites.

Bug: CrushedFingerprintJS submitted this issue to the WebKit bug tracker on November 28. Today they updated their blog post to announce that Apple Developers have coded a fix and marked the issue as resolved.

However, the change will not take effect immediately. Updates take time to roll out and it may take some time for your devices to receive the patch.

For now, you can protect yourself by using a non-WebKit browser like Firefox on your Mac. On an iPhone or iPad, you can temporarily disable JavaScript, but expect many features on many websites to break if you do.

Comments are closed.