Apple bug can expose users’ browser history and Google account details

[ad_1]

The bug causes IndexedDB to expose the data it has collected to websites it didn’t collect it from. (Credit: Unsplash)

A bug has been detected on Apple’s Safari 15, that can leak your recent browsing activity and expose your Google User ID to other sites.

The vulnerability was revealed in a by FingerprintJS, a browser fingerprinting and fraud detection service. 

The bug was reportedly introduced to Safari 15 via the Indexed Database API (IndexedDB), which is part of Apple’s WebKit, the web browser development engine.

IndexedDB is an application programming interface (API) that stores data on your browser such as websites you’ve visited, making them load quicker when you revisit them. The bug causes IndexedDB to expose the data it has collected to websites it didn’t collect it from. 

Additionally, some websites in Google’s network use unique user-specific identifiers in the data provided to IndexedDB. So, if you’re logged into your Google account, the collected data can be used to identify both your browsing history and details of all the accounts you’re currently logged into.

‘Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,’ wrote FingerprintJS.

Unfortunately, there’s not much you can do to get around the issue, as the bug also affects Private Browsing mode on Safari.

According to FingerprintJS, if you visit multiple different websites within the same Private tab, ‘all databases these websites interact with are leaked to all subsequently visited websites’.

Apple Mac users can potentially avoid the bug by switching from Safari to a different browser like Google Chrome but Apple’s third-party browser engine ban on iOS means all browsers on iPhones and iPads are affected.

IndexedDB usually follows the same-origin policy security mechanism, which doesn’t let websites freely interact with each other unless they have the same domain name. For example, Netflix can’t access IndexedDB’s saved data to find out what you’ve been watching on YouTube.

Apple Mac users can potentially avoid the bug by switching from Safari to a different browser like Google Chrome. (Credit: Unsplash)

When a website interacts with a database in Safari, FingerprintJS says that ‘a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.’

This means other websites can see the name of other databases created on other sites, which could contain details specific to your identity. 

FingerprintJS notes sites that use your Google account, like YouTube, Google Calendar, and Google Keep, all generate databases with your unique Google User ID in its name. Your Google User ID allows Google to access your publicly-available information, such as your profile picture, which the Safari bug can expose to other websites.

To check if your browser has been affected, FingerprintJS has created a proof-of-concept demo you can try out if you have Safari 15 and above on your Mac, iPhone, or iPad. The demo uses the browser’s IndexedDB vulnerability to identify the sites you have opened recently and shows how sites that exploit the bug can scrape information from your Google User ID. It currently only detects 30 popular sites that are affected by the bug, such as Instagram, Netflix, Twitter, Xbox.

FingerprintJS reported the leak to the WebKit Bug Tracker in November last year but Apple hasn’t fixed it yet. Metro.co.uk has contacted Apple for comment.


MORE : Google ‘paid Apple billions to stay out of search business’, lawsuit claims


MORE : Apple is worth more than the entire FTSE 100 combined



[ad_2]

Source link

Leave a Reply

Your email address will not be published.