The bug could expose your search history and Google User ID to third-party websites – a major privacy issue that Apple hasn't resolved yet.
A fingerprinting and fraud detection service, FingerprintJS, has recently discovered and described a bug in Safari 15 that can track browsing activities and even reveal your identity to websites. Everyone using the latest version of macOS, iOS, and iPadOS, as well as the Safari browser users, is at risk of data leaks.
About the bug
Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.
The obvious privacy violation coming from this bug, therefore, leaves the door wide open for all sorts of cross-tracking practices and abuses. For example, random websites, including malicious ones, could see the name of a database created on a site with details specific to someone's identity. Also, Google User ID allows Google to access the user information, such as profile pictures or names – which this Safari bug has made accessible to other websites now.
The worst part is – these leaks do not require any additional action from a user. A tab or window running in the background can see what other websites a user visits in real-time, since the bug continually queries the IndexedDB API in search of available databases. What's more, a website can open another website in a pop-up and trigger a leak in it.
Inspect leaks with a demo by FingerprintJS
FingerprintJS created a demo that uses the browser's IndexedDB vulnerability to identify the infected sites (among those you are currently using or have used recently). The demo also showcases how the information from your Google User ID gets snatched if you are logged in to your Google account while browsing. You can try the demo on Safari and all iOS and iPadOS web browsers.
So far, FingerprintJS has tested more than 1,000 websites and identified more than 30 websites affected by the bug, including the planetary popular Instagram, Twitter, Netflix, and Xbox. The researchers suspect, however, that this number is much higher in real life since websites can interact with databases on sub-pages if supported by specific user actions.
How can Mac, iOS, and Safari users protect themselves?
If you are a Mac user, you can switch to a safer browser until the vulnerability gets fixed. Unfortunately, iOS and iPadOS users do not have this option since Apple has banned third-party browser engines on iOS – which made all iOS users even more prone to this bug. So, all we can do is wait to update our OS once Apple resolves this issue. We can only hope that this will happen soon because both the users' privacy and the company's reputation are, once again, at stake.