A new bug found in the Safari browser can leak your personal information including Google account details and recent browsing history as per the finding by FingerprintJS (via 9to5mac). The bug occurs in the implementation of IndexedDB, API (Application Programming Interface) that saves users browsing data.
As mentioned in a blog post on FingerprintJS, IndexedDB sticks to the same-origin policy that limits One origin from interacting with databases that were stored on other origins. Basically, only the website that collects the data can access it but now other websites can also track and access that other’s website with this bug.
For Instance, if you open your email account in the Safari browser in One tab and a malicious website on the second tab, the same-origin policy will restrict the malicious websites from interfering and viewing your email account information.
FingerprintJS reported that the main cause of this bug is that Apple’s API (Application Programming Interface) in Safari browser version 15 violates the same-origin policy. The website mentioned that “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” when a website accesses the database in a safari browser.
It indicates that websites will be able to access the databases generated by other websites and this could reveal users’ information and browsing history to other websites that might be malicious. Websites such as Google Keep, YouTube, Gmail, Google Calendar generate databases with a unique Google ID. This unique Google ID allows Google to track and view your information like profile pictures, email addresses which the bug in safari can expose to other sites.
This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT
— Jake Archibald (@jaffathecake) January 16, 2022
FingerprintJS also created a proof with a demo that users can try if they are on Safari browser version 15 on their iPad, iPhone or MacBook. The demo shared by the website uses the IndexedDB vulnerability in the browser to find the sites that you opened and illustrates how different websites can exploit the bug and obtain your personal information like Google ID. At moment there are only 30 websites which include Xbox, Instagram, Netflix, and Twitter that are affected by this vulnerability. However, there are more websites that can get affected by this vulnerability.
Sadly, the FingerprintJS also mentioned that users browsing in incognito mode can also get affected by this bug and users can’t do anything yet. On MacBook all users can do is to use a third-party browser but on iPhone or iPad Apple restricted third-party browser engine so every browser in iOS is affected by this bug.
Other Trending News:- News