Apple’s recently released Safari 15 has a bug, which can reveal your browsing history and other important information to malicious websites. The bug, as discovered by FingerprintJS, has been found in Safari’s IndexesDB API and remains exploitable till now. Here’s what you need to know about it.
The discovered Safari bug has been explained in a detailed blog post. According to the blog post, a vulnerability in the implementation of IndexedDB, a low-level application programming interface (API) that is used to store significant amounts of structured browsing data, is enabling websites to track user activity and acquire unique Google user IDs in Safari 15.
In our testing, the demo website was able to track the websites that were visited during the browsing session and was also able to acquire the unique Google ID and the corresponding profile picture. It is said to detect 30 popular websites at present, including Bloomberg, Slack, Instagram, Netflix, Twitter, and more. Furthermore, the bug can also affect users in the Private Browsing mode on Safari.
The post further suggests that while the “cross-origin-duplicated databases” can be deleted, an issue doesn’t let this happen.
