Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more

2022-01-17 18:31

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.

The Safari bug can then expose publicly available information from, say, a Google account.

Users logged into their Google account will have their unique Google User ID placed into the database's name.

Database names can then be used to extract identifying information from a lookup table if sites scrape the Google User ID and use it to find personal information.

The fraud detection service created a demo to identify the sites a Google account user has open or opened recently.

It looks for over 20 specific websites it knows are problematic when used in combination with Safari 15 on macOS, iOS 15 or iPadOS 15 as Apple requires WebKit be used with those browsers, and a Google account.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/17/safari_15_indexeddb_bug/

#google #leak #safari

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		102	253	4226	4525	728	9732