Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Safari 15 bug can leak your recent browsing, activity and personal identifiers

views
     
TSdaisiesdontdoit92
post Jan 18 2022, 06:18 AM, updated 2y ago

On my way
****
Junior Member
574 posts

Joined: Jan 2020


The bug could expose your Google User ID to other sites.

This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.

QUOTE
A bug in Safari 15 can leak your browsing activity, and can also reveal some of the personal information attached to your Google account, according to findings from FingerprintJS, a browser fingerprinting and fraud detection service (via 9to5Mac). The vulnerability stems from an issue with Apple’s implementation of IndexedDB, an application programming interface (API) that stores data on your browser.

As explained by FingerprintJS, IndexedDB abides by the same-origin policy, which restricts one origin from interacting with data that was collected on other origins — essentially, only the website that generates data can access it. For example, if you open your email account in one tab and then open a malicious webpage in another, the same-origin policy prevents the malicious page from viewing and meddling with your email.
"There’s not much you can do to get around the issue"

FingerprintJS found that Apple’s application of the IndexedDB API in Safari 15 actually violates the same-origin policy. When a website interacts with a database in Safari, FingerprintJS says that “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

This means other websites can see the name of other databases created on other sites, which could contain details specific to your identity. FingerprintJS notes sites that use your Google account, like YouTube, Google Calendar, and Google Keep, all generate databases with your unique Google User ID in its name. Your Google User ID allows Google to access your publicly-available information, such as your profile picture, which the Safari bug can expose to other websites.

FingerprintJS created a proof-of-concept demo you can try out if you have Safari 15 and above on your Mac, iPhone, or iPad. The demo uses the browser’s IndexedDB vulnerability to identify the sites you have open (or opened recently), and shows how sites that exploit the bug can scrape information from your Google User ID. It currently only detects 30 popular sites that are affected by the bug, such as include Instagram, Netflix, Twitter, Xbox, but it likely affects far more.

Unfortunately, there’s not much you can do to get around the issue, as FingerprintJS says the bug also affects Private Browsing mode on Safari. You can use a different browser on macOS, but Apple’s third-party browser engine ban on iOS means all browsers are affected. FingerprintJS reported the leak to the WebKit Bug Tracker on November 28th, but there hasn’t been an update to Safari yet. The Verge reached out to Apple with a request for comment but didn’t immediately hear back.
https://www.theverge.com/2022/1/16/22886809...nal-information

This post has been edited by daisiesdontdoit92: Jan 18 2022, 06:19 AM
wanna be hi-tech
post Jan 21 2022, 11:49 AM

Any self respecting GEEK, certainly owns more than a single rig
******
Senior Member
1,598 posts

Joined: Jan 2010


Parking.
syiq P
post Jul 14 2022, 03:18 AM

New Member
*
Probation
10 posts

Joined: Jul 2022



Alright, that's it- cry.gif

I'm officially scared to use Safari now sweat.gif sweat.gif cry.gif
BrightDays
post Jul 22 2022, 11:14 PM

Getting Started
**
Junior Member
97 posts

Joined: May 2022
QUOTE(daisiesdontdoit92 @ Jan 18 2022, 06:18 AM)
The bug could expose your Google User ID to other sites.

This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.
hello, is there any updates in regards to this matter?
TSdaisiesdontdoit92
post Jul 22 2022, 11:36 PM

On my way
****
Junior Member
574 posts

Joined: Jan 2020


QUOTE(BrightDays @ Jul 22 2022, 11:14 PM)
hello, is there any updates in regards to this matter?
*
Apple was able to fix the bug https://9to5mac.com/2022/01/20/ios-15-3-rc-...google-id-data/
iOS 15.3 RC fixes Safari bug that gives websites access to browsing history and Google ID data[QUOTE]
BrightDays
post Jul 23 2022, 12:01 PM

Getting Started
**
Junior Member
97 posts

Joined: May 2022
[quote=daisiesdontdoit92,Jul 22 2022, 11:36 PM]
Apple was able to fix the bug
iOS 15.3 RC fixes Safari bug that gives websites access to browsing history and Google ID data[QUOTE]
*

[/quote]

Thank you for the update

 

Change to:
| Lo-Fi Version
0.0115sec    0.11    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 02:39 AM