The bug is at the Safari’s IndexedDB implementation on Mac and iOS. This security flaw allows a website to gain sensitive information from users through having access to the names of databases for any domain. Through this database, identity information can be extracted later. According to 9to5mac, when you log in to any of Google services, Google stores an IndexedDB instance of you with the name of the database corresponding to your Google User ID. Then, a website can access your other sensitive information from Google User ID information because this ID is used to create API requests in various Google services. “Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” FingerprintJS noted
Safari is putting user’s sensitive information at risk
FingerprintJS created a proof-of-concept demo website that can show you how a website can learn the Google account identity of any visitor. However, it just stores the information of only 30 websites, and there are definitely a lot of affected websites. The number of affected websites is still unknown, but any website using IndexedDB JavaScript API could be at risk. As per the FingerprintJS, all current versions of Safari on iPhone, iPad, and Mac devices are exploitable. Also, they reported the bug to Apple on November 28, and the company engineers have just worked on it. However, the issue persists, yet there is no actual solution. Of course, this is not something that Apple can easily ignore. We will probably see an update to the Safari browser on different platforms in the coming months.
How to protect ourselves?
The FingerprintJS says that users can’t do much about the issue. The only option that might help is to block all JavaScript by default and only allow it on trusted sites. The FingerprintJS has analyzed Alexa’s Top 1000 most visited websites to search for the bug. “The results show that more than 30 websites interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate.” FingerprintJS noted in its blog post. “We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page.”