A bug in Safari 15 can leak your browsing activity, and can also reveal some of the personal information attached to your Google account. The vulnerability stems from an issue with Apple’s implementation of index, an application programming interface that stores data on your browser.

Index abides by the same-origin policy, which restricts one origin from interacting with data that was collected on other origins. If you open your email account in one tab and then open a malicious webpage in another, a same-origin policy prevents the malicious page from viewing and meddling with your email.

Apple’s application of the index index in Safari 15 violates the same-origin policy. fingerprintjs found that a new database with the same name is created in all other active frames, tabs, and Windows within the same browser session.

Sites that use your Google account, like YouTube, Google Calendar, and Google keep, all generate databases with your unique Google user ID in its name. Your user ID allows Google to access your publicly-available information, such as your profile picture, which the Safari bug can expose to other websites.

On OSX, Safari users can switch to another browser to avoid their data leaking across origins. Apple imposes a ban on other browser engines.

The demo uses the browser’s IndexDB vulnerability to identify the sites you have open. It currently only detects 30 popular sites that are affected by the bug, such as Instagram, Netflix, Twitter, Xbox.