A new bug has been discovered in Apple's Safari web browser that can leak the user's browsing activity and also some of the personal information link to the user's Google account. The bug has been discovered in the Webkit implementation of a JavaScript API in Safari called IndexedDB. It was reported by browser fingerprinting service FingerprintJS on Friday.

IndexedDB is an API that stores data on your browser. This API follows the same-origin policy which means that one origin cannot interact with data that was collected from other origins. The bug targets the vulnerability of IndexedDB API and allows other websites to access the IndexedDB databases generated by other websites during a user's browsing session.

This bug can allow websites to track your Google account as well. Google stores an IndexedDB database on Safari by the name of the user's authenticated Google User ID. This identifier can be used with Google APIs to fetch personal information about the user, such as a profile picture, according to FingerprintJS. However, since the IndexedDB is saved with the name of Google User ID, it can be used to reveal a lot of information related to the user's Google account.

This bug affects Safari 15 on all versions of iOS 15, macOS Monterey, and iPadOS 15 as all of these use Apple's open-source WebKit engine. Even third-party web browsers on iOS, including Chrome and Microsoft Edge, are vulnerable to the bug as Apple requires all browsers to use the WebKit website rendering engine on the iPhone and iPad.

FingerprintJS has also shared a live demo of the bug which you can check out below. You can try it out the bug for yourself using this live demo.

The bug doesn't require any user input or any user interaction for a website to access the IndexedDB database generated by other websites. As FingerprintJS' blog post notes, "a tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site."

The bug has to be patched by Apple. Even using the 'Private Window' won't help. If you're running Safari 14, i.e., a previous version of iOS or macOS, the bug won't affect you. And since the bug has been highlighted by a number of users, publications, and cyberactivists, a fix should be coming soon — although Apple is yet to comment on the bug.

If you're a Safari 15 user on macOS, you should temporarily switch to a different browser, for example, Google Chrome or Microsoft Edge. Switching web browsers on iOS and iPadOS won't help as all the web browsers use WebKit rendering engine which is affected by the vulnerability.

Via: MacRumors, The Verge