Safari 15 was found to have a vulnerability that is leaking your browsing activity and even letting bad actors know your identity. The issue arose due to a bug introduced in the implementation of IndexedDB, which works as an application programming interface (API) for storing structured data. Users on the latest version of macOS as well as iOS and iPadOS are affected by the vulnerability. While macOS users can overcome the impact by switching to a third-party browser, iPhone or iPad users don’t have that remedy at the moment.
as initially reported by 9to5Mac, the FingerprintJS browser fingerprint and fraud detection company discovered the IndexedBD vulnerability affecting Safari 15. The API follows the same origin policy which is intended to restrict documents and scripts loaded from one source to interact with resources from other sources. This helps a web browser secure your session on one tab of the website you accessed on the other tab.
However, researchers at FingerprintJS found that Apple’s implementation of indexed db violates the policy. This results in the loophole that an attacker can exploit to gain access to your browsing activity or identity attached to your Google account.
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows in the same browser session,” the researchers said. he said when explaining the vulnerability.
The flaw lets hackers know which websites you are visiting in different tabs or windows. It also exposes your Google user ID to websites other than the ones you signed in to with your Google account. The Google User ID allows websites to access your personal identifiers, including your profile picture. Eventually, hackers can parse these identifiers by exploiting the Safari vulnerability.
FingerprintJS states that the number of websites that can interact and gain access to users’ browsing activity and personal identifiers can be significant. To demonstrate the flaw, a proof of concept was also released by the researchers.
You can use the demo on your Mac, iPhone or iPad that has Safari 15 to check the vulnerability. It currently detects popular websites including Alibaba, Instagram, Twitter and Xbox to suggest how one website’s database can be leaked to others. However, the problem is not limited to them and can also affect users visiting other websites.
Users switching to private mode in Safari 15 may reduce the extent of information available through the leak as private browsing sessions in the browser are restricted to a single tab. However, you will end up leaking your data if you visit multiple websites one after another in the same tab.
Mac users can, however, switch to a third-party browser such as Google Chrome or Mozilla Firefox to resolve the security hole.
However, on iOS, the problem is also not just limited to Safari and cannot be overcome by migrating to Chrome or another third-party browser. It is because Apple does not allow iOS web browsers to use a third-party browser engine on iPhone and iPad.
FingerprintJS reported the issue to WebKit Bug Tracker on November 28. The flaw still exists, however.
Gadgets 360 has reached out to Apple to comment on the vulnerability and whether it is working on a fix. This article will be updated when the company responds.
Vulnerabilities affecting Safari are nothing new. Last year, Apple had to relaunch its browser to fix security issues and bugs that were introduced by a previous update. The latest version of Safari (version 15.2) released in December also fixed six known WebKit security issues that existed in previous versions and could allow attackers to gain malicious access to user data.
See the latest from the Consumer Electronics Show on Gadgets 360 in our CES 2022 hub.