Why it matters: Researchers have discovered a bug in Safari 15 that can allow a website to access your recent browsing history as well as your Google account ID and avatar. Apple is aware of the vulnerability and has been working on a patch since Sunday, January 16. As of January 18, developers have not released a fix.
Security firm FingerprintJS says that the bug is related to the IndexedDB API. In most browsers, a document from one domain’s database cannot be accessed by another website. However, the implementation of the API in Safari violates this “same-origin policy,” which could give a malicious website enough information to identify Safari users.
FingerprintJS explains its proof-of-concept (POC) demo in a video posted on January 14 (below). It also put a live copy of the POC on the web for those curious to see it in action in real-time.
The researchers first reported the vulnerability (233548) to the WebKit Bug Tracker on November 28. As of this weekend, Apple engineers have marked the bug report as resolved, but TechSpot can confirm that the latest version of Safari remains unfixed as of January 18.
FingerprintJS points out that bad actors could use this exploit to identify users through a lookup table. Additionally, authenticated databases can reveal a user’s unique ID and profile picture, further identifying the individual. For example, logging into any Google services, like YouTube or Gmail, authenticates the user across all Google services. So any Google platform opened in a new tab or browser instance reveals the website was just visited, the user’s unique identifier, and the user’s avatar.
“The Google User ID is an internal identifier generated by Google,” the researchers explained. “It uniquely identifies a single Google account. It can be used with Google APIs to fetch public personal information of the account owner. The information exposed by these APIs is controlled by many factors. In general, at minimum, the user’s profile picture is typically available.”
Until a fix is issued, there is not much that users can do to mitigate this vulnerability aside from not using Safari. On the bright side, Apple marking the issue “resolved” indicates a patch is imminent.