There comes worrying news for users who use Safari , the well-known Apple web browser available on various platforms. In the last few hours some relevant security criticalities have emerged online, unearthed by the work carried out by FingerprintJS , a cybersecurity monitoring service.
According to the work done by FingerprintJS, Safari 15 suffers from a vulnerability that could expose to third parties various personal information of users: let's talk about the history navigation, personal identifiers , and personal data associated with the sites visited (such as the email address if you open the mailbox or Google profile picture if you open YouTube).
The security criticality would depend on an incorrect implementation of IndexedDB , an API that takes care of the storage and management of data associated with websites visited with Safari. As a rule, this API assumes a strict policy that prevents a website from accessing personal information generated and collected by another website.
The implementation of IndexedDB does not observe this policy on Safari 15 and this allows third-party sites to access the personal data databases stored by other sites web. Therefore it is possible that third-party sites can access the databases generated by YouTube , Google Keep , Google Drive . Among the sites affected by the bug we also find Instagram , Netflix , Twitter , Xbox , but the list could be much longer .
According to the FingerprintJS report, the bug also involves the private browsing mode of the browser, so there is very little that can be done to protect oneself independently from the problem. We must wait for Apple to intervene with a fix . FingerprintJS reported the problem last November 28 , to date there is still no news on its resolution.
