Safari 15 flaw can leak browser activity and user identifiers to other sites

by Prayank
1:05 pm IST | January 18, 20227:40 pm IST | January 18, 2022
2 min read

Apple’s native browser Safari (15) has a bug that can leak a person’s browsing activity and identifiers, including Google ID. The flaw has arisen due to Apple’s implementation of the IndexedDB API that stores data on the browser.

While IndexedDB API implementation shouldn’t allow other websites opened on the same browser to read the browser activity, according to findings from the browser fingerprinting API service, FingerprintJS, the software bug violates the “same-origin” policy.

For example, if you’ve got your bank account running on one tab and email on another, the ‘same-origin’ policy prevents both the tabs from interacting automatically or using information from one another. However, Safari 15 doesn’t stop this from happening.

The bug affects Safari 15 on macOS, iOS and iPadOS. Since the app store requires all browsers on iOS and iPadOS to use the webkit engine, the bug potentially affects all browser on Apple’s mobile OS.

According to FingerprintJS, “Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

They reported the bug on November 28, 2021, but Apple is yet to push an update to Safari. While Apple engineers started working on a potential fix on Sunday and marked the issue as ‘resolved’, the bug will continue to affect people until these fixes are rolled out.

How does this Safari bug affect you?

As per the findings, the bug causes Safari to allow websites opened in the browser to view other tab databases, including details there that could include personal identifiers. For example, any site using your Google account generates a unique Google user ID database. The Safari bug will expose the information held within your Google ID to all other websites opened in the same browser — in other tabs or windows.

The researchers have also created a demo site that demonstrates how a website can scrape Google account identifiers of a person. The demo can detect more than 20 websites in other browser tabs or windows, including Youtube, Twitter, Instagram, Google Calendar, among others. Opening the demo site in an affected browser will allow you to see how the browsing activity and personal identifiers are leaked.

YouTube video

in the News: Ukrainian Government sites attacked amid high tensions with Russia

Prayank

Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals. Contact Prayank via email: prayank@pm.me