The bug could expose your search history and Google User ID to third-party websites – a major privacy issue that Apple hasn't resolved yet.
A fingerprinting and fraud detection service, FingerprintJS, has recently discovered and described a bug in Safari 15 that can track browsing activities and even reveal your identity to websites. Everyone using the latest version of macOS, iOS, and iPadOS, as well as the Safari browser users, is at risk of data leaks.
About the bug
The Safari 15 bug originates from Apple's implementation of JavaScript API, called IndexedDB. The implementation, however, violates the same-origin policy of IndexedDB – a principal security mechanism that restricts documents and scripts from one origin to interact with resources from another. This results in the bug allowing one website to access a database of another website, whereas in normal conditions, this should never be the case. As a rule, indexed databases each have a separate origin, and documents and scripts of one origin should never be able to access different origin databases.
Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.
The obvious privacy violation coming from this bug, therefore, leaves the door wide open for all sorts of cross-tracking practices and abuses. For example, random websites, including malicious ones, could see the name of a database created on a site with details specific to someone's identity. Also, Google User ID allows Google to access the user information, such as profile pictures or names – which this Safari bug has made accessible to other websites now.
The worst part is – these leaks do not require any additional action from a user. A tab or window running in the background can see what other websites a user visits in real-time, since the bug continually queries the IndexedDB API in search of available databases. What's more, a website can open another website in a pop-up and trigger a leak in it.
Inspect leaks with a demo by FingerprintJS
FingerprintJS created a demo that uses the browser's IndexedDB vulnerability to identify the infected sites (among those you are currently using or have used recently). The demo also showcases how the information from your Google User ID gets snatched if you are logged in to your Google account while browsing. You can try the demo on Safari and all iOS and iPadOS web browsers.
So far, FingerprintJS has tested more than 1,000 websites and identified more than 30 websites affected by the bug, including the planetary popular Instagram, Twitter, Netflix, and Xbox. The researchers suspect, however, that this number is much higher in real life since websites can interact with databases on sub-pages if supported by specific user actions.
How can Mac, iOS, and Safari users protect themselves?
Unfortunately, this issue hasn't been resolved yet, and there isn't much that Apple customers can do to protect themselves from the sites exploiting the bug at the moment. One drastic measure you could try is to block all JavaScript by default and only allow it on trusted websites. However, this could disturb your browsing experience and there's no guarantee that you won't get targeted via trusted sites.
If you are a Mac user, you can switch to a safer browser until the vulnerability gets fixed. Unfortunately, iOS and iPadOS users do not have this option since Apple has banned third-party browser engines on iOS – which made all iOS users even more prone to this bug. So, all we can do is wait to update our OS once Apple resolves this issue. We can only hope that this will happen soon because both the users' privacy and the company's reputation are, once again, at stake.