This Safari bug could be leaking your recent browsing history

[MMT]

It’s been uncovered that a Safari 15 bug can disclose your recent browsing history and even some info from logged-in Google accounts.

A blog post from FingerprintJS (via 9to5mac) has revealed that a huge bug in Safari 15 can actually leak your recent browsing history from the app.

Anyone that has linked their Google account onto Safari could also be at risk of their personal information being revealed too.

This vulnerability has been linked back to an issue with the way Apple implements IndexedDB, which is an application programming interface (API) that stores data on your browser.

The bug means that a website can see the names of databases for any domain on Mac and iOS, not just their own. Using the names, websites can extract identifying information from a lookup table.

 

Get the unmatched feeling of security with award-winning protection against hackers, viruses and malware. Plus payment protection and privacy tools that guard you from every angle. Includes, Free VPN, Password Manager and Kaspersky Safe Kids. Now 50% off from just £19.99 per month

For instance, if you were to open up your email on one webpage and then open up another webpage that happens to be malicious, Apple’s application of API means that the malicious website can view your email and scrape your Google User ID, which can be used to find out more information about you.

Usually, a policy called same-origin policy would block this from happening, as it restricts one origin from interacting with data that is collected elsewhere; in other words, if you were to open your email and then a malicious website, the dangerous website would have no way of accessing your email or other webpages you interact with.

FingerprintsJS also mocked up a proof-of-concept demo, which shows us a lookup table of around 30 domain names that include the browser’s IndexedDB vulnerability, including Netflix, Twitter and Xbox. You can use the site if you have Safari on any Apple device to see any sites you have opened recently and see how the bug can access your information.

However, it has been pointed out that the same technique could be used on a larger set of domain names, with any website that uses IndexedDB JavaScript API now vulnerable to data scraping.

Unfortunately, all current versions of Safari on iOS and Mac are unprotected, with Apple currently not commenting on the issue that was originally reported by FingerprintJS on 28 November.

We will be sure to keep you updated with this leak as soon as more information comes out. We have reached out to Apple for a comment but had not heard back at the time this article was written.

 

ARTICLE