Stefan Mileschin

Could not be bothered fixing the problem

Fruity cargo cult Apple sat on a serious Safari bug which disclosed user data for months and still cannot be bothered fixing it.

The fault found here from FingerprintJS discloses information about your recent browsing history and even some info of the logged-in Google account. Making it an ideal thing for autocratic government’s to use for snooping on dissidents and journalists who are dumb enough to use Safari to surf the web.

The problem lies in Safari's super cool, advanced, and secure IndexedDB implementation on Mac and iOS. It provides a feature which means that a website can see the names of databases for any domain, not just its own.

The database names can then be used to extract identifying information from a lookup table. For instance, Google services store an IndexedDB instance for each of your logged in accounts, with the name of the database corresponding to your Google User ID.

Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services.

In the proof-of-concept demo, the user's profile picture is revealed. FingerprintJS says they reported the bug to Apple on 28 November but it has not yet been resolved.

https://fudzilla.com/news/mobile/542...ata-for-months