A newly disclosed vulnerability in Apple Inc’s Safari 15 exposes users’ data and online activity

A recently discovered flaw in Apple Inc.’s Safari web browser and related WebKit technology potentially exposes a user’s identity and internet history. Researchers at FingerprintJs Inc. identified and disclosed the vulnerability on January 14 in Safari 15’s implementation of the IndexedDB application programming interface. IndexedDB is a client-side storage API present in many browsers meant to hold large volumes of data.

According to the researcher, the vulnerability was discovered in late November and reported to Apple and the WebKit Bug Tracker, but it was finally rectified on the morning of January 17. Users will continue to be affected by the flaw until a patch is provided.

The issue with Safari is how Apple built it, which violates Apple’s “same-origin” policy, which bans documents and scripts in one location from interacting with the material in another. As a result, a malicious website could obtain information about Google LLC accounts and history from open tabs and windows.

“A Google user ID is an internal identifier created by Google that recognizes a particular Google account.” It can be used in conjunction with Google APIs to obtain the account owner’s public personal details. Many factors influence the data exposed by these APIs, and the user’s profile photo is usually available. This means that an untrustworthy or malicious website can learn a user’s identification and link numerous independent accounts used by the same user.