Skip to main content

Safari bug can leak some of your Google account info and recent browsing history

A serious Safari bug disclosed in this blog post from FingerprintJS can disclose information about your recent browsing history and even some info of the logged-in Google account.

A bug in Safari’s IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. You can try it out for yourself with this live demo.

For instance, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID.

Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user’s profile picture is revealed.

The proof-of-concept only keeps a lookup table of about 30 domain names, however there’s no reason the technique could not be applied to a much larger set. Almost any website that uses the IndexedDB JavaScript API could be vulnerable to such data scraping.

The bug is simply that the names of all IndexedDB databases is available to any site; access to the actual content of each database is restricted. The fix — and the correct behaviour observed on other browsers like Chrome — would be that a website can only see the databases created by the same domain name as its own.

All current versions of Safari on iPhone, iPad and Mac are exploitable. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Benjamin Mayo Benjamin Mayo

Benjamin develops iOS apps professionally and covers Apple news and rumors for 9to5Mac. Listen to Benjamin, every week, on the Happy Hour podcast. Check out his personal blog. Message Benjamin over email or Twitter.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications