Bug in Safari browser leaks personal identifiers and browsing activity

The bug affects the Safari 15 browser for Mac and all versions of Safari on iOS 15 and iPadOS 15.

Researchers at browser fingerprinting and fraud detection service, FingerprintJS, have identified that a bug in Safari 15 can leak a user’s Google User ID, exposing personal information linked with the Google account and browsing activity.

The bug affects new versions of browsers that use Apple’s open-source browser engine, WebKit. This includes Safari 15 for mac and all versions of Safari on iOS 15 and iPadOS 15.

About the Vulnerability

The bug stems from an issue identified in Apple’s application programming interface IndexedDB, which stores data on a browser. This API complies with the same-origin policy that restricts an origin from interacting with data collected on other origins. Only the site that generates data can access it.

However, in Safari 15, this API violates the same-origin policy. Therefore, when a site interacts with any database in Safari, a new database with the same name is created in other active tabs, windows, and frames within that browser session.

FingerprintJS has released a live demo of the bug as well, in which the company proved that the bug doesn’t affect Safari 14.

Dangers Associated with the Bug

Due to the bug, other websites can identify other databases names that have been created on other websites. These databases may contain details about a user’s identity since all websites such as YouTube, Google, Google Calendar, and Google Keep generate databases using your unique Google User ID.

This ID allows Google to access a user’s publicly available information, including your profile photo, as the bug would expose this information to other websites.

Moreover, the bug allows a website to track other websites that the user visits in different windows or tables, which shouldn’t be the case, and websites should only access their IndexedDB databases.

In short, the bug allows other websites using IndexedDB to access names of the IndexedDB databases that other websites have generated during the same browsing session.