Security News > 2022 > January > Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs

Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs
2022-01-20 16:50

Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server.

Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.

Put simply, malicious websites can learn a user's identity and link it to multiple separate accounts that use the same ID, researchers warned.

Beyond Google sites, the firm found that users of at least 30 of the Alexa Top 1,000 most-visited websites could be likewise affected by the identity leakage.

The researchers have created a proof-of-concept demo that demonstrates how a malicious website can learn the Google account identity of any visitor.

If a user visits "Multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites," warned the firm.


News URL

https://threatpost.com/apple-safari-bug-browsing-data-google-ids/177809/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 253 4216 4506 727 9702
Apple 68 212 1433 2208 257 4110