Jump to content
  • Major Apple Safari privacy bug means any websites can access your Google ID, other private data

    Karlston

    • 452 views
    • 2 minutes
     Share


    • 452 views
    • 2 minutes

    If you care about your privacy you mean need to put down your iPhone, after a serious implementation bug in Safari means any website is able to read some of your private data and recent browsing history, even when using Private Browsing mode.

     

    The issue is with how Safari implements IndexedDB, a browser-based database commonly used by web apps. Most browsers create a new instance of IndexedDB for each website, which can only be accessed from that website.

     

    Safari however creates empty versions of the IndexedDB created by each web page in each other web page, meaning for IndexedDB Safari does not respect same-origin policy properly.

     

    Even though the shadow copies of IndexedDB created for other web pages are empty, they still have the same name as the actual database created by the original web app, which can leak private information. The mere presence of the database will let other web pages know that you visited another website, for example, the presence of the Netflix IndexedDB could tell Amazon that you are a Netflix user. Even worse, however, the name of the database may leak your credentials. The name of the database for Google apps (such as Gmail or YouTube) include your GoogleID for example, which can be used to access your publicly-available information, such as your profile picture.

     

    The bug was discovered and reported by FingerprintJS on the 28th of November, but so far Apple has not taken any action.

     

    You can test out the issue at FingerprintJS’s proof of concept website here, which will check if you visited 30 different major websites recently.

     

    On macOS users can and should use an alternate browser, but on iOS all browsers use the Safari web engine, meaning all iPhone users have no mitigation except to stop using the browser on their phone.

     

    Watch FingerprintJS’s explainer video below:

     

     

    via the Verge

     

     

     Major Apple Safari privacy bug means any websites can access your Google ID, other private data


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...