By using multi-gesture trackpad along with Safari browser in MacBook Pro, one can view sensitive data which is cached in your Safari browser. (Note: This is not a back button browsing vulnerability)
I figured out this issue while playing around with Safari browser, looks like the most recent activity of any authenticated or un-authenticated website is stored in the cache of Safari and by taking the advantage of multi-gesture trackpad we can retrieve any or all information about that activity.
Looks like Apple provides a feature in trackpad which allows users to swipe between the pages or applications. It also allows you to tap, swipe, pinch, or spread one or more fingers to perform useful actions but seems they forgot to add some security measures in this.
Steps to reproduce: 1. Open Safari (v12.0.2 (14606.3.4) was used in this case) 2. Login to any dynamic website (I’ve used www.gmail.com) 3. Perform your dynamic activity 4. Logout (But don’t close your safari browser) 5. Now swipe right
You would actually see your recent data, between the pages. I’ve also created a video proof-of-concept for same. Apple says: After reviewing your report we do not see any actual security implications.
But, I feel like this is an interesting issue which can be exploited by a local attacker. Also this only works with safari browser only. I hope you like the read.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.