Safari on iOS 15 and iPadOS 15 has a bug that can be exploited to reveal your personal data
The Google User ID leads an attacker to a wealth of personal data. Each one can be used to identify a specific Google account and in combination with Google APIs, it can, at the least, reveal your profile picture to a hacker. It also could help the attacker grab much more personal information and unravel “multiple separate accounts” owned by the same user.
Unfortunately, learning your personal information doesn’t require you to perform any specific action as the report states “A tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.”
FingerprintJS checked with Alexa’s top 1,000 visited sites and found that 30 interact with indexed databases right on their homepage, without any interaction or authentication required by the user. Even if a person is using the private mode in Safari, if he visits multiple websites using the same tab, all databases interacted with are leaked to the sites the user subsequently visits.
Is there a way to avoid this bug?
There isn’t much that a Safari user can do if he is running iOS 15 or iPadOS 15. One suggestion is to block all JavaScript by default and only allow it on sites that are 100% trusted. Mac users can switch browsers to escape this bug, but this is not a solution on iOS 15 or iPadOS 15. We should point out that the bug was submitted by FingerprintJS to the WebKit Bug Tracker on November 28, 2021, as bug 233548.