Apple’s recently released Safari 15 has a bug, which can reveal your browsing history and other important information to malicious websites. The bug, as discovered by FingerprintJS, has been found in Safari’s IndexesDB API and remains exploitable till now. Here’s what you need to know about it.
Beware of This Safari 15 Bug
The discovered Safari bug has been explained in a detailed blog post. According to the blog post, a vulnerability in the implementation of IndexedDB, a low-level application programming interface (API) that is used to store significant amounts of structured browsing data, is enabling websites to track user activity and acquire unique Google user IDs in Safari 15.
The Google user ID is a unique identifier to recognize a Google account and can be used to get users’ public personal information. The exploit can, thus, leak such information, including the users’ profile photos, to cybercriminals.
For those unaware, the IndexedDB WebKit, like most modern web security technologies, follows the same-origin policy to safeguard user data in web browsers. That means it can only access stored data within one domain and restricts data from one origin from interacting with resources in another origin. In simple words, if you open a website in one tab of your browser and your email in another, the same-origin policy restricts the website from viewing or tracking the activity of the other tab in which your email is opened.
To further explain this, the FingerprintJS team created a proof-of-concept demo website to showcase the bug in Safari 15. So, if you are using Safari on your Mac or iOS device, you can go to this link and try out the demo for yourself.
In our testing, the demo website was able to track the websites that were visited during the browsing session and was also able to acquire the unique Google ID and the corresponding profile picture. It is said to detect 30 popular websites at present, including Bloomberg, Slack, Instagram, Netflix, Twitter, and more. Furthermore, the bug can also affect users in the Private Browsing mode on Safari.
The post further suggests that while the “cross-origin-duplicated databases” can be deleted, an issue doesn’t let this happen.
It is revealed that FingerprintJS reported the bug to Apple on November 28 last year. However, no action has been taken to resolve it since then. It remains to be seen what measures Apple takes to sort this, given that there’s not much a user can do. We recommend you switch to another iPhone browser until this Safari bug is patched. Although, changing the browser is futile on iOS and iPadOS!