Safari 15 bug can leak your recent browsing activity and personal identifiers

The image is by Alex Castro.

A bug in the browser can leak your browsing activity and reveal some of the personal information attached to your account, according to findings from a browser fingerprinting and fraud detection service. The issue with Apple's implementation of IndexedDB, an application programming interface that stores data on your browser, is the root of the vulnerability.

The same-origin policy restricts one origin from interacting with data that was collected on other origins, and only the website that generated data can access it. If you open your email account in one tab and then open a malicious page in another, the same-origin policy prevents the malicious page from viewing and interfering with your email.

There isn't much you can do to get around the issue.

The same-origin policy was violated by Apple's application of the IndexedDBAPI. A database with the same name is created in all other frames, tabs, and windows when a website interacts with it.

This means that other websites can see the name of the other databases that are on other sites. Your unique Google User ID is used to create databases on all the sites that use your account. Your User ID allows you to allow your website to access your publicly available information, which can be seen by other websites.

This is a big bug. On OSX, users can switch to another browser if they want to avoid data leaking across origins.
>
Jake Archibald is on January 16, 2022.

If you have a Mac, iPhone, or iPad, you can try out the proof-of-concept demo created by FingerprintJS. The demo shows how the bug in the browser can be used to identify the websites you have opened recently, and how the information from your user ID can be used to identify you. It only checks 30 popular sites that are affected by the bug, but it likely affects more.

There is not much you can do to get around the issue, as it affects Private Browsing mode onSafari. All browsers are affected by Apple's third-party browser engine ban, but you can use a different browser on macOS. There hasn't been an update to Safari yet, despite the leak being reported to the WebKit Bug Tracker. Apple didn't immediately respond to The Verge's request for comment.