The bug could expose users Google User ID from websites like YouTube, Google Calendar, or Google Keep.
Pomme’s Safari browser has a vulnerability in it that could expose users’ browsing history and personal information.
The bug, which was introduced in Safari 15, tel que rapporté par FingerprintJS, came from the Indexed Database API which is part of Apple’s WebKit. The API is used to save data on websites users have visited so they can be loaded faster when they return.
IndexedDB should stop data from one origin from interacting with data from other origins. But the bug means that was not happening.
“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, un nouveau (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session”, software engineer Martin Bajanik said.
Cette, Mr Bajanik continues, “lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific”. parfois, this includes unique user-specific information that would let people be precisely identified after using YouTube, Google Calendar, or Google Keep, par example.
“All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts”, il dit.
The leaks do not require specific user action – so there is little a user can do to stop it – and out of the top 1000 most visited websites over 30 were vulnerable due to this flaw including Instagram, Netflix, Twitter, and Xbox.
de plus, while Safari users on Macs could use a different browser, all browsers on iOS and iPadOS use Apple’s WebKit – including competitors such as Google Chrome – making switching impossible.
Apple n'a pas répondu à une demande de commentaire de L'indépendant avant la date de parution. FingerprintJS reported the leak to the WebKit Bug Tracker on 28 Novemember 2021, but Apple has not yet updated Safari.