A bug in Safari allows browsing history to be taken over from users’ iPhones, iPads and Macs. By exploiting a serious breach, a malicious website can indeed discover all the sites you have visited as well as your Google ID.
FingerprintJS, a company specializing in the detection of Internet fraud, has just discovered a serious bug in Safari, the default built-in search engine on iPhones, iPads, and Macs. In a report published on its blog on January 14, 2022, the firm explains that it has detected a failure in the implementation of IndexedDB, an API capable of storing data in a browser, in Safari on Mac and iOS.
Because of this failure, any website is able to capture user data who consult it. “The flaw allows websites to learn which websites the user visits in different tabs or windows”, explains FingerprintJS in its report. Ultimately, the browsing history is at the mercy of any fraudulent sites.
On the same theme: a Safari bug on macOS Catalina prevents sites from loading and crashes the browser
A bug in Safari lets you know your Google ID
By exploiting the breach, a website can also steal your Google user ID. “Authenticated users can be uniquely and accurately identified. Some of the most popular examples are YouTube, Google Calendar or Google Keep. All of these websites create databases that include the Google Authenticated User ID”, continues the firm.
With this ID in hand, a malicious website can collect data from your account. Using the flaw described in their report, the researchers notably succeeded in steal the avatar of the user. With this image, it is easy to find an individual on social networks, on Facebook in particular. “Untrustworthy or malicious websites can learn a user’s identity, but it also allows multiple separate accounts used by the same user to be linked”, warns FingerprintJS, which specifies that data leaks do not require any action on the part of the user.