Safari 15 bug can leak your recent browsing activity and personal identifiers

A bug in Safari 15 can leak your browsing activity, and can also reveal some of the personal information attached to your Google account, according to findings from FingerprintJS, a browser fingerprinting and fraud detection service (via 9to5Mac). The vulnerability stems from an issue with Apple’s implementation of IndexedDB, an application programming interface (API) that stores data on your browser.

As explained by FingerprintJS, IndexedDB abides by the same-origin policy, which restricts one origin from interacting with data that was collected on other origins — essentially, only the website that generates data can access it. For example, if you open your email account in one tab and then open a malicious webpage in another, the same-origin policy prevents the malicious page from viewing and meddling with your email.

There’s not much you can do to get around the issue

FingerprintJS found that Apple’s application of the IndexedDB API in Safari 15 actually violates the same-origin policy. When a website interacts with a database in Safari, FingerprintJS says that “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

This means other websites can see the name of other databases created on other sites, which could contain details specific to your identity. FingerprintJS notes sites that use your Google account, like YouTube, Google Calendar, and Google Keep, all generate…

Read more…