A serious Safari bug uncovered by FingerprintJS can reveal information about the current browsing history and even some data from the logged-in Google account.
A bug in Safari's IndexedDB implementation on Mac and iOS means that a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table, FingerprintJS reports in a new Contribution. For example, Google services store an IndexedDB instance for each of your logged-in accounts, where the name of the database corresponds to your Google User ID. With the exploit described in the post, a malicious website could read your Google User ID and then use that ID to find out other personal information about you, since the ID is used to make API requests to Google services. The proof-of-concept demo shows the user's profile picture.
Safari bug: Apple has not yet responded
The proof of concept only contains a lookup table with about 30 domain names, but there's no reason why the technique can't be applied to a much larger set. Almost any website that uses the IndexedDB JavaScript API could be vulnerable to such data scraping. The flaw is simply that the names of all IndexedDB databases are accessible to any website, but access to the actual contents of each database is restricted. The solution - and the correct behavior observed in other browsers like Chrome - is that a website can only see the databases created under the same domain name as its own. All current versions of Safari on iPhone, iPad and Mac are affected. FingerprintJS says they reported the bug to Apple on November 28, but the problem has not yet been fixed. (Photo by hadrian / Bigstockphoto)
