New Safari Vulnerability Can Leak Recent Browsing History and Some of your Google Account Information

new safari vulnerability

A new Safari vulnerability disclosed by FingerprintJS, can leak recent browsing history and some information of your logged-in Google account.

The bug was introduced in Safari 15 implementation of the IndexedDB API that lets any website track your internet activity and even reveal your identity.

- Advertisement -

Proof of Concept

Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user’s profile picture is revealed.

The proof-of-concept only keeps a lookup table of about 30 domain names, however there’s no reason the technique could not be applied to a much larger set. Almost any website that uses the IndexedDB JavaScript API could be vulnerable to such data scraping.

Apple Working on a fix

All current versions of Safari on iPhone, iPad and Mac are exploitable. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.

Apple engineers began working on the bug as of Sunday, have merged potential fixes, and have marked our report as resolved. However, the bug continues to persist for end users until these changes are released.

Exit mobile version