A bug discovered on Apple Safari 15 browser could make users vulnerable to browsing history and Google account information leaks, an article published by FingerprintJS on January 15, 2022, reveals. According to FingerprintJS, a browser’s fraud and fingerprinting detection firm, the security flaw witnessed on Safari 15 is attributed to a flawed IndexedDB implementation.
As reported by FingerprintJS, the Apple Safari 15 browser used by the latest version of iPadOS, iOS, And MacOS have a bug in the IndexedDB, making it vulnerable to an information leak that can allow malicious actors to retrieve browser user’s Google ID and browsing history.
Safari 15 IndexedDB Violation of Same-Origin Policy
Under normal circumstances, the IndexedDB follows the same-origin policy, fundamental security, which restricts scripts and documents loaded from a single unique origin from interacting with those from another origin. Since the indexed databases are usually associated with a particular origin defined by the protocol, domain (hostname), and the URL port used to access the database, scripts or documents related to a different origin should never interact with other origins.
With the same-origin policy implemented, the browser secures a session in one tab from another website you’ve visited in a separate tab, preventing malicious pages from viewing the information in another webpage and exploiting them for wrong reasons. However, this isn’t the case for Safari 15 browser as it allows scripts from different origins to interact, resulting in a same-origin policy violation.
According to FingerprintJS, “Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” resulting in what the researchers called “cross-origin-duplicated databases.”
Risks of Same-Origin Policy Violation
Same-origin policy violation witnessed on Safari 15 makes browsing databases visible across other arbitrary websites, allowing attackers to view the details of the websites you’re browsing since the databases appear unique and website specific. For instance, if you’ve opened different websites on different tabs on the Safari browser, databases created by the websites are visible to other websites on the same window, putting you at risk of leaking some information specific to your identity, such as Google User ID.
Leaking information related to your Google account occurs when browsing Google Calendar, Google Keep, and YouTube, which uses your Google account. While your Google User ID allows Google to gain access to your public information, including your profile photo, the bug in Safari 15 can leak the same information to other websites.
During FingerprintJS Demo, the researchers exploited the Safari IndexedDB vulnerability to view at least 30 recently visited websites on the browser and show how websites can use the bug to extract personal Google user details, including a profile image. Using the same procedure, attackers can take advantage of the bug to view your browsing activity and unique identifiers associated with your Google account.
Is There a Workaround for the Bug on Safari 15?
According to the researchers, those using Safari 15 on macOS can switch to other third-party browsers until Apple fixes the bug. But those using Safari on iOS and iPadOS have no practical solution at the moment as all browsers running on iOS and iPadOS are affected.
The researchers also note that disabling Java scripts on your browser by default and allowing them only for trusted sites can reduce the amount of information leaked. Unfortunately, this option is likely to impact your browsing experience as most websites use Java-scrip to offer a modern browsing experience for users.
Despite having some of the options mentioned earlier at your disposal, the problem can only be permanently solved by upgrading your Safari browser to a newer version when Apple releases a new version of Safari with the glaring error fixed.
Like our tech news? Sign up to subscribe to email alerts and you’ll never miss a post.