Apple’s Safari has a bug that can leak browser history & Google account info

Valentine Muhamba Avatar
Apple iPhone 6, Safari bug leak

Apple users on Mac, iOS and iPadOS are vulnerable to a bug that can leak their browser history and some of their Google account information. According to a report by 9to5Mac, the bug was disclosed by FingerprintJS, a browser fingerprinting library that queries browser attributes, and said that the vulnerability was found in Safari 15 across all platforms and third-party browsers (Chrome, Brave etc).

The bug is in Sarafi’s Indexed Database API (IndexedDB) implementation which is how major web browsers store information. IndexedDB has a Same-Origin Policy (SPO) which basically means that it restricts one source from loading information from another be it a domain, protocol etc.

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.”


The leak is bad because certain sites like YouTube and others that use User ID authentication create databases of sign-ins from tabs and windows. So whilst the leak is not of the content of the websites, FingerprintJS says that the Google IDs (username, profile picture) could be used by unsavoury website owners to target specific users. The information could be used to create a map of sites that you frequent and create a profile of user activity, and to make matters worse Private Browsing (Private/Incognito Mode) won’t stop them.

FingerprintJS said that it duly notified Apple of the vulnerability last year but says the company has yet to address the issue. For Apple users, the only way to protect themselves in the meantime is by blocking all JavaScript by default but this will make browsing cumbersome. Another alternative offered by FingerprintJS is to switch to a third party browser until the leak is dealt with.


What’s your take?

Your email address will not be published. Required fields are marked *