New Safari bug can expose Apple users’ browser history and Google account details


A vulnerability in Safari can be exploited to expose your browser history – and possibly parts of your identity.

Revealed in a Saturday Blog Post by FingerprintJS, the bug was introduced in Safari 15 via the Indexed Database API (IndexedDB), which is part of Apple Webkit web browser development engine. To put it simply, IndexedDB can be used to save data on your computer, such as websites you’ve visited, making them load faster when you return to them later.

IndexedDB also generally follows the same origin policy security mechanism, which does not allow websites to freely interact with each other unless they have the same domain name (among other requirements). Think of it as if you were in quarantine and only allowed to spend time with members of your household. So, for example, Netflix can’t access IndexedDB’s saved data to find out that you cheated on them with YouTube.


How to Move Safari’s Search Bar Up in iOS 15

Unfortunately, the bug revealed by FingerprintJS causes IndexedDB to violate the same-origin policy, exposing the data it collected to websites where it did not collect it. Worse still, some websites such as those in the Google network use user-specific unique identifiers in the data provided to IndexedDB. This means that, if you are logged into your Google account, the data collected can be used to precisely identify both your browsing history and your account details. And if you are logged in to multiple accounts, it can figure that out too.

“Not only does this imply that untrustworthy or malicious websites can learn a user’s identity, but it also allows multiple separate accounts used by the same user to be linked together,” FingerprintJS wrote. They also released a expression showing the kind of information the exploit can reveal.

FingerprintJS reported the bug late last November, but Apple still hasn’t fixed the problem. Mashable has contacted Apple for comment.

This is all concerning, but there’s not much you can do about it right now. Browsing in Safari’s private mode can mitigate potential damage, because a private tab can’t tell what’s going on in other tabs, whether private or public. However, it’s still not foolproof.

“[I]If you visit several different websites within the same [private] tab, all databases that these websites interact with are disclosed to all websites subsequently visited,” FingerprintJS wrote.

Mac users can avoid the vulnerability by switching from Safari to another browser, but iOS or iPadOS users are out of luck. While only Safari was impacted on Mac, Apple’s requirement that all iOS and iPad web browsers use WebKit means that the IndexedDB bug impacted all browsers on those systems. The best we can do is wait for Apple to release a patch, upgrade to Android, or just log off.


Comments are closed.