Safari Bug in macOS and iOS 15 Could Leak Your Personal Data and Allow Websites to Track Your Browsing History

BY Anu Joy

Published 17 Jan 2022

A bug in Safari 15 could leave you vulnerable to malicious actors by revealing your identity and even allowing websites to track your browsing history. In a blog post, FingerprintJS disclosed that this bug originates due to Safari 15’s implementation of the IndexedDB API.

What is IndexedDB?

IndexedDB is a low-level browser API that stores client-side information. It follows the same-origin policy that controls how scripts loaded from one origin can interact with resources from other origins. In short, a website isn’t allowed to snoop on other websites as it can only access data generated by it.

Safari 15 on macOS and all browsers on iOS and iPadOS 15 violate this same-origin policy, and this has serious implications. With this bug, malicious websites can not only learn about your identity, but also link together multiple accounts that you use.

 

How to Check if Your Browser is Affected

If your browser is affected by the bug and you visit different websites in the same tab, the databases associated with these websites will be leaked to the sites you subsequently access. You’re vulnerable to the leak if you use Safari 15 on macOS, even in private mode. All browsers on iOS and iPadOS 15 are also affected.

FingerprintJS has created a proof-of-concept demo that you can try for yourself if you use an iPhone, Mac or iPad. If your browser is affected, it will show how your browsing history and identity is leaked. It is to be noted that the identity data will only be available if you’re already signed in to your Google account.

What is Apple Doing About it?

So far, nothing. FingerprintJS reported the bug to the WebKit Bug Tracker back in November 28, 2021. Apple will need to fix the bug with software updates, but the company hasn’t addressed the issue so far.

Unfortunately, there’s no easy fix that Mac, iPadOS and iOS users can implement. You could block all JavaScript by default and only allow it for trusted sites. However, this is painfully inconvenient and will most certainly ruin your browsing experience. Thankfully, Apple still allows Mac users the privilege of switching to other browsers until the bug is fixed. But there’s no respite for iOS and iPadOS users since all browsers are affected on these devices.

Rolling out a software update squashing the bug is the only practical solution to this menace.

[Via FingerprintJS]