Safari bug can leak your browsing history and Google account information
A week ago, we discussed Powerdir, a vulnerability in macOS that could have been used by hackers to access the user's data. The issue, which was discovered by Microsoft engineers, was fixed by Apple in a patch that shipped last year. Today, news about a Safari bug has surfaced, that can leak your browsing history and information related to your Google account.
Safari bug can leak your browsing history
Apple's browser, which is the default on macOS, iOS, and iPadOS has a security issue related to IndexedDB. This is an API that is used by websites to store data on the device, and uses the same-origin policy. It restricts other websites, documents, scripts from accessing data belonging to a specific website. It is kind of like a sandbox for the data created by a website.
IndexedDB, or Indexed databases, are tied to a specific origin, e.g. your Google account is associated with its own database. So, theoretically, other sites should not be able to access the information stored in the database, but FingerprintJS has discovered that an exploit exists in Safari 15, that can reveal the data to other sites.
How is that possible? When a website accesses a database, the rest of the data from other tabs, windows and frames in the current session are stored in a new database. The problem here is that the newly created database shares the same name as the original one, as a result of which the database names are leaked across different origins (websites).
This in turn will allow websites to identify users by their unique ID. What's worse here is that the websites store the authenticated Google user ID in these databases. In the event someone has logged into multiple accounts, each one has its own database. The user ID is used by Google to identify the user via the People API, to fetch the publicly available personal information from the account, such as their profile picture. So, a malicious website can get this information, just because a tab or window that is active in the background can access the IndexedDB API. When you visit other websites, that data is also stored in the database, meaning your browsing history is also exposed to third-parties.
Here's an official video from the fingerprinting benchmark service, that illustrates how the vulnerability works. The website has a proof-of-concept demo page, that you can open from your macOS, iOS or iPadOS device, to test if your browser is affected by the IndexedDB bug. The demo site detects many including Alibaba, Google, Dropbox, Twitter, VK, WhatsApp, Xbox, to name a few, but many other websites could be targeted by the exploit.
I tried accessing the page on my old iPad, and Safari 14 does not seem to be impacted by the bug. But when my friend visited the demo site on his iPhone with Safari 15, the page said that his browser is vulnerable to the exploit, and revealed his unique Google ID number as proof of it.
The article first spotted by 9to5Mac, says that Apple is yet to patch this Safari bug, even though FingerprintJS had reported it to the Cupertino company on November 28th.
Big Tech loves you.
Apple’s ban on 3rd party browser engines on iOS mean ALL browsers (except as Ashwin mentioned – old, browsers that aren’t updated [yet]) are affected on iOS by the browser leak (per the Verge, yes the same Verge that couldn’t properly build a PC, and was the laughing stock of the internet – Here’s a link to Linus’s video mocking the Verge if you want a good laugh – https://www.youtube.com/watch?v=QKzmYsySGFQ) .
So AFAIK, all iPhones & iPads are affected.
MacOS users can just switch to a different browser that’s NOT Safari 15.
Cupertino goes round and round in circles.