Safari 15 could leak Google account info to malicious sites

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers.

The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository.

As of 28 November last year, the issue had not been fixed, so the team at Fingerprint JS decided to make the finding public to encourage the expedition of its repair.

[…]

not only can a malicious website learn the user’s identity, it can stitch together multiple separate accounts from the same user without that person even doing anything, other than running a window in the background. The malicious website can open other websites, if programmed in an iframe or popup, and thus open a Pandora’s box of leaking data.

Fingerprint JS made a video explaining the process:

[…]

Source: Safari 15 could leak Google account info to malicious sites • The Register

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft