Safari 15 turns out to have a vulnerability that leaks your browsing activity and even allows malicious parties to know your identity. The issue arose due to a bug introduced in the implementation of IndexedDB, which works as an Application Programming Interface (API) to store structured data. Users running the latest version of macOS and iOS and iPadOS are affected by the vulnerability. While macOS users can overcome the impact by switching to a third-party browser, iPhone or iPad users have no solution at this time.
As initially reported by 9to5Mac, fingerprint and fraud detection company FingerprintJS has discovered the IndexedBD vulnerability affecting Safari 15. The API follows the same-origin policy which is intended to prevent documents and scripts loaded from one origin. , are used to interact with sources of a different origin. This helps a web browser secure your session on one tab from the website you opened on the other tab.
However, FingerprintJS researchers have found that Apple’s implementation of IndexedDB is against policy. This results in the loophole that an attacker can exploit to gain access to your browsing activity or identity associated with your Google account.
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session,” the researchers said, explaining the vulnerability.
The flaw allows hackers to learn which websites you visit in different tabs or windows. It also exposes your Google user ID to websites other than the one where you are signed in with your Google account. The Google User ID allows websites to access your personally identifiable information, including your profile picture. Ultimately, hackers could see those identifiers by exploiting the Safari vulnerability.
FingerprintJS claims that the number of websites that can communicate and access users’ browsing activity and personal identifiers can be significant. To demonstrate the error, the researchers also released a proof-of-concept.
You can use the demo on your Mac, iPhone or iPad with Safari 15 to view the vulnerability. It is currently detecting popular sites including Alibaba, Instagram, Twitter and Xbox to suggest how the database could be leaked from one site to another. However, the problem is not limited to this one and can also affect users who visit other sites.
Users switching to private mode in Safari 15 may reduce the amount of information available through the leak, as private browsing sessions in the browser are limited to a single tab. However, you will end up leaking your data if you visit multiple websites in a row in the same tab.
Mac users can nevertheless switch to a third-party browser, such as Google Chrome or Mozilla Firefox, to close the security loophole.
However, on iOS, the problem is not just limited to Safari and cannot be solved by going to Chrome or any other third-party browser. This is because Apple does not allow iOS web browsers to use a third-party browser engine on iPhone and iPad.
Users can limit data breaches by disabling JavaScript in their browser for the time being. But that will affect their experience as most sites today use JavaScript to provide modern browsing.
FingerprintJS reported the issue to the WebKit Bug Tracker on November 28. However, the error still exists.
Gadgets 360 has reached out to Apple to comment on the vulnerability and if it is working on a fix. This article will be updated when the company responds.
Vulnerabilities affecting Safari are not new. Last year, Apple had to re-release its browser to fix security vulnerabilities and bugs introduced by a previous update. The latest Safari build (version 15.2) released in December also fixed six known WebKit vulnerabilities that existed in previous versions that could allow attackers to maliciously access user data.
Check out the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2022 hub.
