A bug in Safari 15 may reveal your recent web browsing history and some of the information attached to your logged in Google Account. The vulnerability resides in Apple’s implementation of IndexedDB, which is an application programming interface (API) that stores data on your browser, on macOS and iOS. Also Read – Apple’s AR/VR Headset Could Cost More Than Rs 1.5lac
According to FingerprintJS findings, IndexedDB follows the same-origin policy which limits how documents from one origin can interact with resources from other origins. Indexed databases are associated with a specific origin. “Documents or scripts associated with different origins should never have the ability to interact with databases associated with other origins,” the blog post states. Simply put, ideally a website that generates an indexed database should be the only one to access it. For example, if you opened a social network account in one web browser tab and a malicious website on the other, the IndexedDB API should block the malicious website from viewing your social network account data. Read also – Apple joins Meta and imposes a COVID-19 booster injection on its employees
However, in the case of Safari 15, the IndexedDB API violates this same-origin policy in Safari 15 on macOS, and in all browsers on iOS and iPadOS 15. FingerprintJS notes that whenever a website interacts with a database database, a new, empty “database with the same name is created in all other active frames, tabs, and windows within the same browser session.” Read also – Amazon Republic Day Sale: from iPhone, OnePlus to Tecno, Samsung, discover the best smartphone offers
This could cause other websites, even potentially malicious ones, to see the name of other databases on other sites. This could indeed give them specific details, which would help them identify specific users.
Moreover, FingerprintJS indicates that platforms such as YouTube, Google Calendar or Google Keep create databases that include the Google user ID. And in case a user is connected to several accounts, databases are created for all these accounts. Now, Google uses this Google ID to collect publicly available information associated with an account.
The Safari 15 vulnerability could allow malicious websites to access all of this information, without user intervention. “Not only does this imply that untrustworthy or malicious websites can learn a user’s identity, but it also makes it possible to link multiple separate accounts used by the same user,” the site says. Worse still, this vulnerability also affects Private Mode in Safari 15.
So how can you protect yourself?
Unfortunately, there is not much you can do about this vulnerability, as Apple has not yet released a security patch. The only alternative users can try is to temporarily switch to another browser.