Safari exploitation can leak browser history and Google Account information


Apple device users appear to be vulnerable to a significant lack of browser privacy. According to to 9to5Mac, FingerprintJS has discovered exploitation that allows attackers to retrieve your recent browser history, and even some Google Account information, from Safari 15 on all supported platforms, as well as third-party browsers on iOS 15 and iPadOS 15. IndexedDB framework (used to store data on many browsers) violates the “same source” policy, which prevents documents and scripts from one site (such as a domain or protocol) from interacting with content from another, allowing appropriately coded sites to lock Google data from logged in users as well as history from open tabs and windows.

The shortcoming only affects database names, not the content itself. However, that would still be enough for the owner of the malicious site to download your Google username, reveal your profile picture, and otherwise learn more about you. History could also be used to compile a rudimentary profile of sites you like. Private browsing will not beat exploitation, FingerprintJS said.

We asked Apple for comment. FingerprintJS said it reported the problem on Nov. 28, however, and that Apple has not yet resolved it with security patches that respect policies of the same origin. Until then, the only solution may be to either use a third-party browser on the Mac or block the entire JavaScript, which is not necessarily an option.

All products recommended by Engadget are selected by our editorial team, regardless of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn a commission for the partners.


Source link

Leave a Comment