Apple is consistently working to make Safari a privacy-focused browser as much as possible. However, A new bug in Safari 15 has made it vulnerable to exploitation. It can leak your Google account info with activities including your browsing history. Considering this bug’s potential it’s a very serious privacy issue.
A blog post by FingerprintJS discloses that all current versions of Safari on iPhone, iPad, and Mac are exploitable. This bug was introduced in Safari 15’s implementation of IndexedDB API which lets any website track your internet activity and even reveal your personal identity.
How does this bug works?
Almost all major browsers use the IndexedDB API. IndexedDB is a browser API, used for client-side storage such as files and blobs. It is designed to hold significant amounts of data. This data may also include sensitive browsing information subject to websites you visit.
Now, The IndexedDB follows something called the same-origin policy. The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. The origin here basically means a Website.
So when you open new tabs, a new empty database with the same name is created for the newly opened websites. It means every site has access to the IndexedDB API for all the sites opened at the time. This creates a data pool that can violate your online privacy.
Whenever a website generates data, that data must be associated with that particular website only. Data associated with the different websites should never have the possibility to access Data associated with another website.
IndexedDB leaks in Safari 15
In Safari 15 on macOS, iOS, and iPadOS 15, the IndexedDB API is found to be violating the same-origin policy. Every time a website interacts with a database, a new empty database with the same name is created in all other active frames, tabs, and windows within the same browser session.
Why is this a Privacy Violation?
Different websites in different tabs can access this new database name. Although the database is empty, it can leak a lot of sensitive information.
Any arbitrary website can know what websites the user visits in other tabs or windows of the browser. Furthermore, many websites use unique user-specific identifiers in database names. The example below explains more about it.
Your Google account has its own IndexedDB instance for each of your logged-in accounts, with the database’s name corresponding to your Google User ID. By exploiting the bug, a malicious website may scrape your Google User ID and then use that ID to obtain other personal information about you because the ID is used to make API requests to Google services.
FingerprintJS has created a live demo page that demonstrates the vulnerability. You can try this demo at safarileaks.com
How can you protect yourself against this Bug?
Another option for Mac users is to switch to a different browser until the bug is resolved. While Chrome is a popular choice, with Google FLoC privacy doesn’t look the same. Though, there’s no option for iPhone and iPad users as Apple blocks any other browser engines on iOS and iPadOS.
Also Read: What is Internet Literacy and Data Privacy?