ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Safari 15 bug exposes your search history and personal identifiers to websites

The bug could expose your search history and Google User ID to third-party websites – a major privacy issue that Apple hasn't resolved yet.

 

A fingerprinting and fraud detection service, FingerprintJS, has recently discovered and described a bug in Safari 15 that can track browsing activities and even reveal your identity to websites. Everyone using the latest version of macOS, iOS, and iPadOS, as well as the Safari browser users, is at risk of data leaks.

About the bug

The Safari 15 bug originates from Apple's implementation of JavaScript API, called IndexedDB. The implementation, however, violates the same-origin policy of IndexedDB – a principal security mechanism that restricts documents and scripts from one origin to interact with resources from another. This results in the bug allowing one website to access a database of another website, whereas in normal conditions, this should never be the case. As a rule, indexed databases each have a separate origin, and documents and scripts of one origin should never be able to access different origin databases.

Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.

Software Engineer at Core API, Martin Bajanik

The obvious privacy violation coming from this bug, therefore, leaves the door wide open for all sorts of cross-tracking practices and abuses. For example, random websites, including malicious ones, could see the name of a database created on a site with details specific to someone's identity. Also, Google User ID allows Google to access the user information, such as profile pictures or names – which this Safari bug has made accessible to other websites now.

The worst part is – these leaks do not require any additional action from a user. A tab or window running in the background can see what other websites a user visits in real-time, since the bug continually queries the IndexedDB API in search of available databases. What's more, a website can open another website in a pop-up and trigger a leak in it.

Inspect leaks with a demo by FingerprintJS

FingerprintJS created a demo that uses the browser's IndexedDB vulnerability to identify the infected sites (among those you are currently using or have used recently). The demo also showcases how the information from your Google User ID gets snatched if you are logged in to your Google account while browsing. You can try the demo on Safari and all iOS and iPadOS web browsers.

So far, FingerprintJS has tested more than 1,000 websites and identified more than 30 websites affected by the bug, including the planetary popular Instagram, Twitter, Netflix, and Xbox. The researchers suspect, however, that this number is much higher in real life since websites can interact with databases on sub-pages if supported by specific user actions.

How can Mac, iOS, and Safari users protect themselves?

Unfortunately, this issue hasn't been resolved yet, and there isn't much that Apple customers can do to protect themselves from the sites exploiting the bug at the moment. One drastic measure you could try is to block all JavaScript by default and only allow it on trusted websites. However, this could disturb your browsing experience and there's no guarantee that you won't get targeted via trusted sites.

If you are a Mac user, you can switch to a safer browser until the vulnerability gets fixed. Unfortunately, iOS and iPadOS users do not have this option since Apple has banned third-party browser engines on iOS – which made all iOS users even more prone to this bug. So, all we can do is wait to update our OS once Apple resolves this issue. We can only hope that this will happen soon because both the users' privacy and the company's reputation are, once again, at stake.

Written by: Danka Delić

With her BA in English Language and Literature, Private Pilot Licence, and passion for researching and writing, Danka brings further diversity to the team. As a former world traveler, she learned to appreciate cyber security and the necessity for digital privacy. Danka is a nature, animal, and written-word lover. She enjoys staying on the go, both mentally and physically, and spends most of her free time either reading or hiking with her dog.

0 Comments

There are no comments yet.

Got Something to Say?

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

Large brand with very good value, and a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service