Safari Bug Leaks Your Data [Account Info, History, Location]

Safari’s WebKit engine has a defect in its implementation of the IndexedDB API, which may allow law enforcement agencies to view browsing history in real-time or even users’ identities.

IndexedDB is a popular API that’s utilized for utilizing a diverse client-side database without capacity constraints.

For data storage purposes, it can be deployed for caching website data for offline viewing. Modules, development tools, and browser extensions can also use to store sensitive information.

IndexedDB sufficiently protects information from cross-site scripting attacks, immediately following the same-origin policy, which controls access to these resources.

FingerprintJS analysts noted that the IndexedDB API used in Safari on macOS 15 is inconsistent with the one it wants to follow in the WebKit implementation of FingerprintJS, exposing sensitive information to threats. Grab the top VPN for mac and make a safe online transaction.

This privacy violation Safari bug leaks your Google account info and also affects the web browsers with the latest Apple operating system, including iOS and iPadOS.

The Problem In Safari 15

IndexedDB, which promotes a database on one server to be accessible from any browser or device, was added to Safari 15 for iOS devices, iPadOS, and macOS by violating the same-origin policy.

Since database names follow this pattern and are website-specific, this is similar to exposing the browsing history to anyone.

The most severe problem is that the basis for frequently used database names features login IDs, which led to the risk of identity theft. Get access to the best VPN for Android at an affordable rate with an exclusive VPN service.

Impact And Mitigation

According to the researchers, finding someone with this flaw involves logging on to popular websites, such as YouTube and Facebook, as well as services such as Google Calendar, and Google Keep.

Accessing these sites creates a new IndexedDB database and appends the Google User ID of the logged-in user onto the database name. If multiple Google accounts are used, then individual databases are created for each one.

“We checked the homepages of Alexa’s Top 1000 most visited websites to understand how many websites use IndexedDB and can be uniquely identified by the databases they interact with,” mentions the FingerprintJS report.

“The results show more than 30 websites that are indexed by unique indexes directly on their homepages, without any additional user interaction or the need to authenticate.” Safari bug leaks your Google account info, browsing history.

“There will be an increase in this figure in real-life scenarios when websites can interact directly with databases on subpages to preselect information after a certain action is initiated, or on an authenticated part of the page.”

In some cases where a sibling resource produces unique ID (universally unique identifier) databases, Safari’s tracking prevention systems intervene to block the leak of information. Through this positive negative resolution’s further benefit, the use of extensions to block ads is an extra bonus.

Safari 15’s private mode continues to be in effect, but each browsing session is limited to a single tab. Because of Safari bug leaks your Google account info, browsing history, the extent of the information that may be leaked is restricted to websites visited through that one tab.

Note that because this is an issue with WebKit, any browser utilizing this particular engine (such as Brave or Chrome for iOS) is also vulnerable.

To determine whether the bug has had an impact on your browser, you can view this page, which reconstructs the relevant API leak. You should also know about Uber’s data breach.

WebKit Bug Tracker was notified of the vulnerability on November 28, 2021, and as of writing this, it is still unaddressed.

Installment of security updates could easily mitigate the problem before they become mature. Take extreme measures, however, and you might collapse the interactivity of many web pages.

Switching to a non-WebKit-based web browser is the only viable workaround at this point, but it only applies to macOS. On iOS and tvOS, all browsers are affected.