If you have been using Safari 15 on your Apple device, you should be aware of a bug that can reveal your Google account’s personal information. The bug was reported by FingerprintJS, a company that focuses on fraud detection relating to browser fingerprinting.
The bug is a result of how Apple implemented IndexedDB, an application programming interface used for storing data in the browser.
As explained by FingerprintJS, the problem is that IndexedDB limits origins from interacting with data gathered from other origins. In practical terms, if you sign in to your Facebook account in one browser tab and open another tab for a dangerous website, IndexedDB will not allow the dangerous website to track what you are doing in your Facebook account.
However, in the case of Safari 15, the browser does not respect this same-origin policy. When you open a new website inside the browser, according to FingerprintJS, a new and empty database with a corresponding name is created for all the other existing frames, tabs, and windows in the browser session.
As a result, other websites can read the names of other website databases. What makes Google accounts vulnerable is that the company uses your unique Google User ID to name its databases. Google uses the ID to link you to your profile picture and other publicly accessible details.
Here is FingerprintJS’s description of the bug: “In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session unless you switch to a different profile, in Chrome, for example, or open a private window. For clarity, we will refer to the newly created databases as “cross-origin-duplicated databases” for the remainder of the article.”
Since Google uses this database naming method across multiple products, this bug affects multiple services like YouTube, Google Calendar, Google Keep, etc.
Other websites using the name database naming method are vulnerable to this bug.
FingerprintJS has created a demo on its website, which works on the Mac, iPhone, and iPad if you want to try this. You will see the websites you have visited and how malicious sites can use the bug to obtain your Google User ID information.
Fingerprint JS has identified 30 popular websites that are affected, including common online destinations like Instagram, Twitter, and Netflix.
There is nothing you can do to protect yourself at this stage because the bug also affects private browsing mode. Making matters worse, switching to another browser does not help because Apple requires all browsers to use Safari’s browsing engine, making all of them vulnerable as well.
“In this case, private mode in Safari 15 is also affected by the leak. It’s important to note that browsing sessions in private Safari windows are restricted to a single tab, which reduces the extent of information available via the leak. However, if you visit multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites. Note that in other WebKit-based browsers, for example, Brave or Google Chrome on iOS, private tabs share the same browser session in the same way as in non-private mode.”
The only solution is to sit tight until Apple releases a fix.
However, there has been no public comment from Apple on this bug, even though FingerprintJS reported it to the company in November.