Safari is back in the spotlight. A few days ago, operators were furious about a new function that would prevent blocking web pages or knowing the browsing history of users. Now, a bug in Safari allows an attacker to know your entire history and your unique Google account identifier.
The vulnerability was discovered by the Fingerprint JS fraud detection service, who contacted the creators of the affected WebKit and offered free and open source code to fix it. The bug has not been fixed, and for this reason the Fingerprint JS team has decided to make the vulnerability public to speed up its patching.
The bug is not patched
The flaw lies in a bad implementation of the IndexedDB API. This API is designed so that documents or scripts originating from one site do not interact with resources originating from other sources. A website opened in one tab should not be able to share data with another tab, all of them always being isolated from each other. Otherwise, a malware could know, for example, our bank details.
However, the Safari vulnerability allowed separate web pages to interact with each other. If you’re using Safari 15 , which uses IndexedDB , every time a website interacts with a database, a new, empty one with the new name is created with all active frames, tabs, and windows in the same browser session. The consequence is that other websites can access the names of the databases, being able to know, for example, information about a Google account.
Among that information is the unique identifier of a Google account . With this, an attacker can obtain personal information, and identify multiple accounts that the user has separately. The team of researchers has discovered that, of the 1,000 most visited websites in the world according to the Alexa ranking, there are 30 that use vulnerable indexed databases. Browsing in incognito mode or private mode does not solve the problem, although it does help limit the amount of information available.
Avoid using Safari while it’s being patched
The team that discovered the vulnerability has created a demo to identify sites that a user with a Google account has recently opened or accessed. The web searches for 20 specific web pages where the vulnerability works if Safari 15 is used with macOS, iOS 15, or iPadOS 15 .
As it is not patched, the only thing that can be done to avoid being affected is blocking JavaScript , not using Google accounts , or using another web browser. Interestingly, Apple refused in June 2020 to implement 16 web APIs in Safari’s WebKit, arguing that they could pose a privacy issue. However, many argued that this move was made to force users to use native iOS apps.