Researchers have found an unpatched Safari bug – in Safari 15. This bug can allow a website to get to your recently browsing history and Google account ID and avatar. Apple knows about this vulnerability and has been working on a patch since January 16, but developers couldn’t fix this bug.
According to Security firm FingerprintJS, the bug is related to the IndexedDB API. In the majority of the browsers, no website can access a document from one domain’s database. But the implementation of the API in Safari contravenes this “same-origin policy,” which can provide a malicious website identifying information about Safari users.
FingerprintJS explains its proof-of-concept (POC) demo in a video shared on January 14 (below). For those interested in seeing this unpatched Safari bug in action in real-time, it gave a live copy of the POC on the web.
Initially, the researchers reported the vulnerability (233548) on November 28 to the WebKit Bug Tracker. This weekend, Apple developers have announced that the issue had been resolved. However, the latest version of Safari is left unfixed to date.
FingerprintJS highlights that some people with bad intentions could use this exploit to find users using a lookup table. Moreover, authenticated databases can locate a user’s unique ID and profile picture, identifying the individual. For instance, logging into any Google services, such as YouTube or Gmail, authenticates the user across all Google services. Thus, any Google platform opened in a new tab or browser instance shows the website was just visited, the user’s unique identifier, and the user’s avatar.
Researchers explain that “The Google User ID is an internal identifier developed by Google. It uniquely identifies a single Google account and can be used with Google APIs to stalk the public personal information of the account owner. Many factors manage the information revealed by these APIs. Generally, at minimum, the user’s profile picture is often available.”
All a user can do to avoid this issue until the bug is patched is not to use Safari. Apple marking the issue “resolved” means a patch is on the way.