Safari bug lets nefarious sites scoop your browsing history and Google account info

Zohaib Ahmed — Mon, 17 Jan 2022 13:06:10 +0000

A bug in Safari found by security company FingerprintJS (via 9to5Mac) can let any website track your browsing history and even some information pertaining to the logged-in Google account.

It is present in Safari’s IndexedDB implementation on Mac and iOS and lets websites see names of databases for any domain and not just its own. IndexedDB is a Javascript API that according to the report holds “a significant amount of data.”

These database names can then be used to extract identifying information from a lookup table. Google services, for example, store an IndexedDB instance for each of your logged-in accounts. This can be accessed by malicious sites to unearth other information about you, such as your Google account profile picture.

While the proof-of-concept demo by FingerprintJS only keeps an index of about 30 sites, there’s quite a chance of the exploit being applied to a much larger set. Almost every site that uses the IndexedDB JavaScript API could be vulnerable to such data scraping.

Unfortunately, there isn’t much that can be done from the user’s end to fix the Safari bug other than blocking Javascript completely on untrusted sites, which isn’t too feasible as doing so will likely be breaking stuff on web pages.

The only proper fix can obviously be applied by Apple alone. Browsers like Chrome only let websites access databases on IndexedDB created by the same domain name as their own, and it’s time Apple heads the same way with Safari.

FingerprintJS says that it has already reported the bug to Apple on November 28 but a fix still remains to be seen.

Apple Safari Archives - Gizmochina

Safari bug lets nefarious sites scoop your browsing history and Google account info