According to findings from FingerprintJS, a browser fingerprinting and fraud detection service, a bug in Safari 15 may reveal your online activity and some personal information linked to your Google account (via 9to5Mac). The problem relates to Apple’s implementation of IndexedDB, an API that stores data on your browser.
IndexedDB, like all Web databases, adheres to the same-origin policy, which means that one origin can’t interact with data generated on other origins. The same-origin policy prevents a malicious page from viewing and tampering with your email if you open your email account in one tab and then visit a harmful site in another.
The Safari bug that exposes your Google User ID to other sites
Apple’s implementation of the IndexedDB API in Safari 15, according to FingerprintJS, violates the same-origin policy. When a website interacts with a database in Safari, FingerprintJS claims that “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”
This indicates that other websites may view the names of other databases developed on other sites, which may contain information specific to your identity. FingerprintJS identifies websites that use your Google account, such as YouTube, Google Calendar, and Google Keep, among others. Because your Google User ID allows Google to access your publicly available data, like your profile image, the Safari vulnerability can expose it to other websites.
This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT
— Jake Archibald (@jaffathecake) January 16, 2022
FingerprintJS created a proof-of-concept demo you may evaluate if you have Safari 15 or higher on your Mac, iPhone, or iPad. The demonstration uses the browser’s IndexedDB flaw to identify the sites you’ve got open (or recently opened), and how sites that take advantage of the flaw can gather information from your Google User ID. It currently just detects 30 major sites that are impacted by the bug, such as Instagram, Netflix, Twitter, and Xbox , but it is likely to impact far more.
Unfortunately, there isn’t much you can do about it because the bug affects Private Browsing mode in Safari as well. You may utilize a different browser on macOS, but all browsers are affected by Apple’s third-party browser engine ban on iOS. On November 28th, FingerprintJS reported the leak to the WebKit Bug Tracker, but there has yet to be an update to Safari.
