Safari 15 bug can leak your personal information

Recent findings from FingerprintJS, a browser fingerprinting and fraud detection service, have revealed that a software bug in Safari 15 can leak your identity and allow any website to track your Internet activity. The bug is related to the Apple browser’s implementation of an application programming interface (API) called IndexedDB, which is designed to store data in your browser. 

Read on to learn more about the API and how exactly it’s leaking this data. 

What is IndexedDB API?

Supported and used by many major browsers, IndexedDB API provides client-side (browser) storage that can store significant amounts of data. But what does that mean in practice? Practically speaking, it’s used to save data from websites you visit so that they load faster when you return. It does this by creating a database to store the data for each website you visit. These databases are supposed to be private to each individual site, so that one domain cannot access the database of another. In short, a domain should only access the data that it generated. 

This practice is known as same-origin policy, an important concept in web application security. It ensures that if you have opened several browser tabs where you’re logged into personal accounts, if you happen to open another tab with a malicious web page, it won’t be able to view or access the data contained in the other tabs. 

The problem with the implementation of IndexedDB API in Safari 15 is that it violates same-origin policy. 

How the bug leaks your data

According to FingerprintJS, during a browser session in Safari 15, IndexedDB API actually creates a new (empty) database with the same name in all other active frames, tabs, and windows. This is a problem because it not only allows any active websites you have open to see the other websites you visit, but it can also reveal user-specific identifiers on websites that require users to be authenticated. 

A major example is any site that uses Google User ID, such as YouTube, Gmail, or Google Calendar. All of these sites create databases that include the user’s Google User ID, and databases are created for every account the user is logged into. If malicious users have access to this ID, they could potentially use it to reveal a great deal of personal information about the account owner, as well as other online accounts linked to their Google User ID.

For an example of this kind of data leak in action, check out this video

What can you do about it?

For Windows users who use Safari, switch to another web browser. For Safari users on iPadOS and iOS, there’s not much you can do since Apple has banned all third-party browser engines. This means that switching browsers won’t help. FingerprintJS suggests the drastic measure of blocking Javascript by default and only permitting it on trusted sites, however, this isn’t a very practical solution. For now, the best solution is to keep an eye on browser updates and make sure to update yours as soon as Apple resolves the issue.

Share on Twitter, Facebook, Google+