Security experts have discovered a major flaw in the latest version of Apple’s Internet browser that leaks browsing history and even certain identity information stored in linked Google accounts.
According to a blog post by cybersecurity service providers FingerprintJS, the problem lies in an Apple API – IndexedDB, which is used to store data in Safari 15.
Safari 15 has a security measure that prevents malicious pages opened in one tab from reading the data generated by websites opened in another tab. According to FingerprintJS, IndexedDB API in Safari 15 does not adhere to this policy (called same-origin policy), and instead – “a new (empty) database with the same name is created in all other active frames, tabs, and windows within same browser session.”
No patch yet
The researchers also explained how the flaw could be used to obtain Google account information. Google’s services (eg YouTube) generate databases with the unique Google user ID in their name. Because these IDs are used to access public information, such as a profile picture, other sites can also see them.
To show how a website can learn a visitor’s recent and current browsing activity, the researchers have also built a demo which you can find at this link. At the moment it detects 30 affected sites, but the list is probably a lot bigger.
At the moment there doesn’t seem to be a solution to the problem. As reported by The edge, the issue even affects Private Browsing mode in Safari, and with Apple’s ban on third-party browser engines on iOS, all other browsers are affected as well.
The bug was reported to the WebKit Bug Tracker in late November last year, but Apple hasn’t released an update for the browser yet and is silent on the matter.
- You may also want to check out our list of the best firewalls now
Via: The Verge