Safari bug/exploit discovered that could leak Google account ID information and browsing history

This is why software updates exist and are generally a good thing.

A serious Safari bug disclosed in this blog post from FingerprintJS can disclose information about your recent browsing history and even some info of the logged-in Google account.

The bug, which was found in Safari IndexedDB implementation on Mac and iOS, allows for a website to see the names of databases for any domain, not just your own. These database names can then be used to extract identifying information from a lookup table.

In a given example, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID. 

Should this be exploited, a nefarious website could then scrape your Google User ID and then use that ID to locate additional information about the user, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user’s profile picture is revealed.

The bug is simply that the names of all IndexedDB databases is available to any site; access to the actual content of each database is restricted. The fix — and the correct behaviour observed on other browsers like Chrome — would be that a website can only see the databases created by the same domain name as its own.

The current versions of Safari on macOS, iOS, and iPadOS are exploitable, and FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved. 

Stay tuned for additional details as they become available.

Via 9to5Mac, safarileaks, and FingerprintJS

Menu