Researchers have discovered a severe bug in the Safari 15 browser that potentially leaks a users’ identity and browsing history. Apple addressed the matter following the bug report and a patch will soon reach users. Until then, users should be careful about the websites they visit. Ideally, users should limit their browsing (via Safari) to trusted websites only.
Safari 15 Browser Bug Exposing User Data
As elaborated in a detailed post, researchers from FingerprintJS discovered a Safari 15 vulnerability affecting users’ privacy.
Specifically, the vulnerability exists in the IndexedDB API implementation in the browser. Exploiting this bug allows websites to track users’ online activities or even discover their identity.
The issue appeared due to the violation of the same-origin policy. Consequently, the database names leak to the websites in different windows or tabs in the same session.
Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.
This doesn’t only violate users’ privacy but can also lead to identification since some websites create database names with unique user identifiers.
It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names. This means that authenticated users can be uniquely and precisely identified.
For instance, Google apps like YouTube, Google Calendar, or Google Keep create databases with a Google User ID. This identifier also uniquely identifies a Google account if signed in.
This serious glitch affects Safari 15 on macOS and all browsers on iOS 15 and iPadOS 15. To make matters worse, this glitch also affects the Safari private mode sessions.
The researchers have developed a demo website that Safari users can visit to learn about the leaked details.
Apple Rolling Out A Fix
Following this discovery, the researchers reported the matter to the WebKit Bug Tracker in November 2021.
The researchers have confirmed that Apple is working on a resolution. So, a patch may arrive soon. Meanwhile, Safari users should switch to other browsers to protect their privacy.