"Safari 15 Bug Can Leak Your Recent Browsing Activity and Personal Identifiers"

Researchers at the browser fingerprinting and fraud detection service, FingerprintJS, discovered a vulnerability in Apple's implementation of IndexedDB in Safari 15 that can leak a user's browsing activity and reveal some of the user's personal information attached to their Google account. IndexedDB is a low-level browser Application Programming Interface (API) that stores client data. According to FingerprintJS, IndexedDB follows the same-origin policy for restricting one origin from interacting with data collected on other origins, meaning only the website that generates data can access it. For example, if a user opens their email account in one tab and then opens a malicious webpage in another tab, the same-origin policy stops the webpage from viewing and tampering with the user's email. However, FingerprintJS found that Apple's implementation of the IndexedDB API in Safari 15 violates the same-origin policy. The researchers discovered that a new empty database with the same name is created in all other active frames, tabs, and windows within the same browser session when a website interacts with a database in Safari. Therefore, other websites can see the name of other databases created on different websites, which could reveal specific details about a user's identity. FingerprintJS developed a proof-of-concept (POC) demo that uses the browser's IndexedDB vulnerability to identify the sites currently open or opened recently. The demo also shows how sites that exploit the bug can scrape information from a Google User ID. It currently detects 30 popular sites affected by the bug, including Instagram, Netflix, Twitter, and Xbox. This article continues to discuss findings surrounding the Safari 15 bug. 

The Verge reports "Safari 15 Bug Can Leak Your Recent Browsing Activity and Personal Identifiers"