A bug has been uncovered in Safari 15, the latest versions of Apple’s default search engine, that exposes users’ internet activity and personal data online.
Discovered by FingerprintJS, the bug allows any website that uses IndexedDB, a JavaScript application programming interface, for client-side data storage to access the names of IndexedDB databases generated by other websites during a user’s browsing session.
The flaw also lets sites ‘see’ which other websites iOS users are visiting in different tabs or windows.
And because some websites use unique user-specific identifiers in database names, users’ information can be easily accessed.
FingerprintJS points out the list of sites include YouTube, Google Calendar and Google Keep.
Apple engineers are preparing a fix, according to 9to5Mac, which is expected to be ‘released to users very soon’ – but the tech giant has yet to reveal when.
A bug has been uncovered in Safari 15, the latest versions of Apple’s default search engine, that exposes users’ internet activity and personal data online
‘The fact that database names leak across different origins is an obvious privacy violation,’ FingerprintJS shared in a blog post.
‘It lets arbitrary websites learn what websites the user visits in different tabs or windows.
‘This is possible because database names are typically unique and website-specific. Moreover, we observed that in some cases, websites use unique user-specific identifiers in database names.
‘This means that authenticated users can be uniquely and precisely identified.’
Apple engineers are preparing a fix, according to 9to5Mac , which is expected to be ‘released to users very soon’ – but the tech giant has yet to reveal when
FingerprintJS also checked the most 1,000 visited websites from Alexa to see how many websites use IndexedDB and can be uniquely identified by the databases they interact with.
The results show that more than 30 websites interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate.
‘We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page,’ FingerprintJS shared.
Although Apple has acknowledged the bug, there is not much users can do to protect themselves until the tech giant rolls out a fix.
FingereprintJS, however, suggests blocking all JavaScript by default and only allow it on sites that are trusted.
Users could also switch to a different browser until Apple rolls out the fix.
‘The only real protection is to update your browser or OS once the issue is resolved by Apple,’ according to FingereprintJS.
