Security News > 2022 > January > Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs

Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs
2022-01-20 16:50

Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server.

Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.

Put simply, malicious websites can learn a user's identity and link it to multiple separate accounts that use the same ID, researchers warned.

Beyond Google sites, the firm found that users of at least 30 of the Alexa Top 1,000 most-visited websites could be likewise affected by the identity leakage.

The researchers have created a proof-of-concept demo that demonstrates how a malicious website can learn the Google account identity of any visitor.

If a user visits "Multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites," warned the firm.


News URL

https://threatpost.com/apple-safari-bug-browsing-data-google-ids/177809/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995
Apple 72 238 1567 2279 265 4349