This bug leaks your iPhone’s web browser history, even on Private Browsing

A serious bug in Safari 15 was found to be able to leak your recent browsing activity and your Google account information such as your User ID and profile photo. This bug was found by FingerprintJS and is caused by the way Apple uses an API called IndexedDB. Not only does this affect Safari on macOS, but it also affects every browser on iOS and iPadOS 15.

To make it brief, Apple implemented IndexedDB in such a way where websites can see the name of other websites and other details when it shouldn’t be able to do that. When you use sites that use your Google account, like YouTube, it makes it so that other tabs and windows can see your unique Google User ID. With this ID, you can look up someone’s profile picture as well.

If you want to see it working in action, you can visit safarileaks.com, a website made by FingerprintJS that demonstrates how the vulnerability works. Of course, you need to open it in Safari 15 on macOS, or any browser on iOS and iPadOS 15.

I tested it with Safari 15 on macOS and the website revealed that five database names were being leaked. I also tested it on the Google Chrome app on my phone and got similar results.

If you open up a new tab with something like YouTube, it will detect your Google User ID and show what hackers will be able to see, including your profile picture. Other affected websites include but are not limited to Bloomberg, Slack Web, Google Calendar, Dropbox, Instagram, Netflix, Twitter, and WhatsApp Web.

The bug was reported on November 28th 2021, but as of January 17th 2022, Apple has yet to fix it. According to FingerprintJS, it also affects Private Browsing. If you’re concerned about this, you can use another browser on macOS like Chrome, Firefox, or my personal recommendation Brave. As for iOS and iPadOS users, just be careful and try not to visit any sketchy sites. That’s all you can do.

[ SOURCE ]