A software bug in Apple’s Safari 15 can let any website obtain your recent internet and even some Google account info, as well as reveal your identity.
According to a blog post by FingerprintJS, a browser fingerprinting and fraud detection service, the bug was introduced in Safari 15’s implementation of the IndexedDB API, which is part of Apple’s WebKit web browser development engine.
For those unaware, IndexedDB is a browser API for client-side storage designed to hold significant amounts of data, which is supported in all major browsers and is very commonly used.
Like most modern web browser technologies, IndexedDB is following same-origin policy, which is a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins. Indexed databases are associated with a specific origin.
“Documents or scripts associated with different origins should never have the possibility to interact with databases associated with other origins,” the blog says.
In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. When a website interacts with a database in Safari, FingerprintJS says a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.
The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific.
Moreover, FingerprintJS observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.
Some popular examples would be YouTube, Google Calendar, or Google Keep. All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts.
The Google User ID is an internal identifier generated by Google. It uniquely identifies a single Google account, which can be used with Google APIs to fetch public personal information of the account owner.
“Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” wrote FingerprintJS.
Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.
FingerprintJS has created a demo page that shows how a website can learn the Google account identity of any visitor. The demo is available at safarileaks.com. You can try it out if you have Safari 15 and above on your Mac, iPhone, or iPad. Currently, the demo only detects the presence of 20+ websites in other browser tabs or windows, including Google Calendar, Youtube, Twitter, and Bloomberg.
FingerprintJS said it reported the Safari bug to the WebKit Bug Tracker on November 28, 2021 as bug 233548; however, Apple has not fixed the issue yet.