Safari: A vulnerability in Safari could leak a user’s logged-in Google account data and browsing history if exploited by cybercriminals. It was discovered by FingerprintJS, which revealed the details on Friday (14).
The problem lies with the implementation of the IndexedDB API in Safari’s WebKit engine on iOS and macOS, according to the Fingerprint and Fraud Detection Service. This application programming interface stores the data in the browser and restricts access to it to the website on which it was generated.
However, an error in this system allows the violation of the “same origin” policy, allowing a site to see the bases generated by others, in addition to its own, in case of exploitation. Google services, for example, store an IndexedDB instance for each connected account, with the database name corresponding to the user ID.
By taking advantage of the loophole, a malicious website can scrape data related to the search giant’s services and discover various other information about a particular person, according to experts. In the tests done by them, it was even possible to access the user’s profile picture.
Problem not fixed
According to FingerprintJS, the Safari bug was reported to Apple on November 28th, but so far there is no fix. In the meantime, the best way to mitigate the problem is to choose a non-WebKit based browser, but this only works on macOS — all browsers are affected on iOS and iPadOS as they use Apple’s browser engine.