New vulnerability in Safari leaks user data

New vulnerability in Safari leaks user data
New vulnerability in Safari leaks user data

All TechWeek writers are indepentent and from many different countries. Some english misspelling and grammar mistakes may occur. Want to contribute? Join the team

Researchers have found a vulnerability in the Safari browser, which is popular on Mac computers and in the iOS mobile operating system. This feature is said to allow browsing history as well as Google usernames, FingerprintJS reports .

As the researchers found out, the vulnerability is observed in Safari 15 on all devices and even in third-party browsers that run on iOS 15 and iPadOS 15. The vulnerability manifests itself in third-party browsers, as Apple obliges their manufacturers to use the Safari engine on iOS and iPadOS. FingerprintJS stated that they have already notified Apple about the problem, but the company has not yet fixed it.

The vulnerability is based on the IndexedDB browser API, which allows websites to save databases on user devices. According to the idea of ​​the mechanism, access to the database created by a particular site can only be obtained by the same site. However, when a site accesses its database, Safari “creates a new (empty) database with the same name in all frames, tabs, and windows in the session,” says FingerprintJS. This allows one site to know what other resources the user has visited, as well as to learn some data about him, such as a Google ID, which can allow you to identify the person.

New vulnerability in Safari leaks user data
New vulnerability in Safari leaks user data

Some sites, including YouTube and other Google services, put the username in the database name. Having obtained a login, attackers can find out other personal information, such as the last name, first name, and account photo.

The company that discovered the vulnerability has created a website where you can test it in action. When visited with Safari version 15, the visitor’s recent activity on a number of popular sites is displayed. On the iPhone and iPad, the vulnerability affects all browsers, as they are based on the Safari engine.