A vulnerability in Apple’s Safari 15 browser could reveal browsing history and some personal information associated with a Google account. researchers out FingerprintJS.
The vulnerability in Safari is reportedly related to the implementation of the IndexedDB mechanism, which allows websites to store databases on the user’s device and restrict the interaction of data from one source with resources from other sources. Simply put, this mechanism allows websites to only interact with the data that they have created themselves. For example, if a user opens their mailbox on one tab and opens a malicious page on the next tab, IndexedDB will not allow the latter to access the data associated with the email page.
FingerprintJS researchers have found that the IndexedDB mechanism in Safari 15 violates the domain restriction rule. When a website interacts with a database stored on the user’s device within an active session in all open windows, tabs and frames, an empty copy of the database with the same name is automatically created. This means that third-party websites can access database names related to other web resources, and such databases may contain personal user information. For example, websites that use a Google account, like YouTube or Google Calendar, create databases with a unique Google user ID in the name. This identifier allows Google to access public user information, such as B. a profile picture that may be available to other websites due to a security vulnerability in Safari.
Safari users cannot fix this problem themselves. FingerprintJS researchers previously reported the vulnerability via the WebKit bug tracker on November 28, but a patch for Safari has yet to be released. Apple officials have so far been reluctant to comment on the matter.