A bug in Safari 15 can leak your browsing activity. It can also reveal some of the personal information attached to your Google account, according to findings from FingerprintJS, a browser fingerprinting and fraud detection service. The vulnerability stems from an issue with Apple’s implementation of IndexedDB, an application programming interface (API) that stores data on your browser.
FingerprintJS, IndexedDB abides by the same-origin policy, which restricts one origin from interacting with data that was collected on other origins; only the website that generates data can access it.FingerprintJS found that Apple’s application of the IndexedDB API in Safari 15 actually violates the same-origin policy.
Google User ID allows Google to access your publicly-available information, such as your profile picture, which the Safari bug can expose to other websites. FingerprintJS created a proof-of-concept demo you can try out if you have Safari 15 and above on your Mac, iPhone, or iPad. The demo uses the browser’s IndexedDB vulnerability to identify the sites you have open and shows how sites that exploit the bug can scrape information from your Google User ID.