Safari browser has a serious bug that exposes browsing activity and user identity

Tram Ho

As discovered by FingerprintJS, the Safari 15 browser has a serious bug that can reveal browsing activities and some personal information related to a user’s Google account. It is known that this security hole stems from Apple’s implementation of IndexedDB, an API that helps store data in the browser.

According to FingerprintJS, the IndexedDB API must ensure compliance with the ‘same-origin’ policy, which can only be accessed by websites that generate the data and prevent other sources from collecting the data. For example, if you open your email account in one tab and then open a malicious website in another tab, the same-origin policy helps prevent the malicious website from being able to view and interfere with your email tab. .

Trình duyệt Safari gặp lỗi nghiêm trọng làm lộ hoạt động duyệt web và danh tính người dùng - Ảnh 1.

However, FingerprintJS discovered that Apple’s IndexedDB API in Safari 15 is not in fact compliant with this same-origin policy. When a web page creates a new database in the Safari browser, another database with the same name is created in all tabs of the same browser session.

This means that other websites can collect databases of each other, and they can contain personal information as well as your entire browsing activity. FingerprintJS notes that websites that use Google accounts like YouTube, Gmail or Google Calendar create databases with information about the user’s Google account.

 

 

FingerprintJS has conducted testing on Safari 15 of Mac, iPhone and iPad computers. This demo uses the aforementioned vulnerability, to identify websites you’ve opened and shows that Google account information can be obtained.

Currently, users have no way to fix this security hole, even using Private Browsing mode in Safari. You can use a different browser on macOS, but with iOS there is no other way.

FingerprintJS has reported this vulnerability to Apple since November 28, but so far there is no patch for the Safari browser.

Reference: theverge

Share the news now

Source : Genk