Security News > 2022 > January > Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more

Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more
2022-01-17 18:31

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.

The Safari bug can then expose publicly available information from, say, a Google account.

Users logged into their Google account will have their unique Google User ID placed into the database's name.

Database names can then be used to extract identifying information from a lookup table if sites scrape the Google User ID and use it to find personal information.

The fraud detection service created a demo to identify the sites a Google account user has open or opened recently.

It looks for over 20 specific websites it knows are problematic when used in combination with Safari 15 on macOS, iOS 15 or iPadOS 15 as Apple requires WebKit be used with those browsers, and a Google account.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/17/safari_15_indexeddb_bug/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 141 994 4922 2872 1623 10411