A serious Safari bug disclosed in this blog post from FingerprintJS can disclose information about your recent browsing history and even some info of the logged-in Google account.
A bug in Safari’s IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. You can try it out for yourself with this live demo.
For instance, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID.
Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user’s profile picture is revealed.
The proof-of-concept only keeps a lookup table of about 30 domain names, however there’s no reason the technique could not be applied to a much larger set. Almost any website that uses the IndexedDB JavaScript API could be vulnerable to such data scraping.
The bug is simply that the names of all IndexedDB databases is available to any site; access to the actual content of each database is restricted. The fix — and the correct behaviour observed on other browsers like Chrome — would be that a website can only see the databases created by the same domain name as its own.
All current versions of Safari on iPhone, iPad and Mac are exploitable. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.
FTC: We use income earning auto affiliate links. More.
Comments