According to discoveries from FingerprintJS, a flaw in Safari 15 potentially leak your browsing activities as well as some personal information associated with your Google account. The flaw in Apple’s implementation of IndexedDB, an application programming interface (API) that stores data in your browser, is the source of the vulnerability.
IndexedDB follows the same-origin policy, which prevents one origin from interacting with data obtained on other origins — in other words, only the website that generates data has access to it. The same-origin policy, for example, prohibits a malicious webpage from accessing and interfering with your email if you open your email account in one tab and a malicious webpage on another.
There’s Not Much You Can Do to Get Around the Issue
FingerprintJS discovered that Apple’s use of the IndexedDB API in Safari 15 breaks the same-origin policy. “A new database with the same name is produced in all other active frames, tabs, and windows within the same browser session,” according to FingerprintJS, when a website connects with a database in Safari.
This means that other websites can see the names of databases produced on other sites, which may contain personal information about you. Sites that use your Google account, such as YouTube, Google Calendar, and Google Keep, all create databases with your unique Google User ID in the name, according to FingerprintJS. Your Google User ID gives Google access to information that is publicly available, such as your profile picture, which the Safari flaw can disclose to other websites.
If you have Safari 15 or above on your Mac, iPhone, or iPad, you may test out FingerprintJS’ proof-of-concept demo. The demo shows how sites that abuse the browser’s IndexedDB flaw can steal data from your Google User ID by using the browser’s IndexedDB bug to detect the sites you have open (or recently opened). It currently only recognizes 30 major websites impacted, including Instagram, Netflix, Twitter, and Xbox.
Unfortunately, there isn’t much you could do about it, as the problem also affects Safari’s Private Browsing mode, according to FingerprintJS. On macOS, you can use a different browser, however on iOS, Apple’s third-party browser engine prohibition affects all browsers.