A bug in Safari 15 could leave you vulnerable to malicious actors by revealing your identity and even allowing websites to track your browsing history. In a blog post, FingerprintJS disclosed that this bug originates due to Safari 15’s implementation of the IndexedDB API.
What is IndexedDB?
IndexedDB is a low-level browser API that stores client-side information. It follows the same-origin policy that controls how scripts loaded from one origin can interact with resources from other origins. In short, a website isn’t allowed to snoop on other websites as it can only access data generated by it.
Safari 15 on macOS and all browsers on iOS and iPadOS 15 violate this same-origin policy, and this has serious implications. With this bug, malicious websites can not only learn about your identity, but also link together multiple accounts that you use.
How to Check if Your Browser is Affected
If your browser is affected by the bug and you visit different websites in the same tab, the databases associated with these websites will be leaked to the sites you subsequently access. You’re vulnerable to the leak if you use Safari 15 on macOS, even in private mode. All browsers on iOS and iPadOS 15 are also affected.
FingerprintJS has created a proof-of-concept demo that you can try for yourself if you use an iPhone, Mac or iPad. If your browser is affected, it will show how your browsing history and identity is leaked. It is to be noted that the identity data will only be available if you’re already signed in to your Google account.
— Lukasz Olejnik (@lukOlejnik) January 15, 2022
What is Apple Doing About it?
So far, nothing. FingerprintJS reported the bug to the WebKit Bug Tracker back in November 28, 2021. Apple will need to fix the bug with software updates, but the company hasn’t addressed the issue so far.
Rolling out a software update squashing the bug is the only practical solution to this menace.[Via FingerprintJS]