Safari Bug Can ‘Expose Apple Users Browser History, Personal Data’ to Malicious Sites

A bug has been detected on Apple’s Safari 15 that could allegedly track users’ browsing activity and reveal their personal data to other malicious sites.

The bug was revealed in a blog post on Saturday by FingerprintJS, a Chicago, Illinois-based company which developed the “fingerprinting” service to prevent fraud and spam.

According to FingerprintJS, the bug was introduced to Safari 15 via the Indexed Database API (IndexedDB), which is part of Apple’s WebKit, the web browser development engine.

IndexedDB is an application programming interface (API) that stores “significant amounts of structured data” on a user’s browser, such as the websites they have previously visited, in turn making them quicker to load when users visit them again, according to Mozilla.

As FingerprintJS notes, because IndexedDB is a low-level API and commonly used and supported by all major browsers, many developers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”

IndexedDB abides by the same-origin policy, a “critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin,” according to Mozilla.

Simply put, the policy prevents data from one origin, such as your email account which is open in one tab, from interacting with data from other origins, such as a malicious webpage opened in a second tab, meaning the malicious webpage cannot access data from your email account.

However, the bug, according to FingerprintJS, causes IndexedDB to expose the data it has collected to websites it didn’t collect it from.

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy,” FingerprintJS said. “The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific.”

Furthermore, the fingerprinting service discovered that some websites, such as YouTube, Google Calendar, or Google Keep use unique user-specific identifiers in the data provided to IndexedDB, meaning that “authenticated users can be uniquely and precisely identified” if they are logged into their Google account.

“All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts,” FingerprintJS explained.

“Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” FingerprintJS said.

Unfortunately, users cannot do much about the bug for now as even private mode in Safari 15 is also affected by the leak, although because browsing sessions in private Safari windows are restricted to a single tab, using this mode could reduce the amount of information that can be exposed via the bug.

“Another alternative for Safari users on Macs is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected,” FingerprintJS said.

The Epoch Times has reached out to Apple for comment.

FingerprintJS reported the bug to the WebKit Bug Tracker at the end of November 2021, but Apple still hasn’t fixed it.

On Monday, the company said that Apple engineers had begun working on the bug on Sunday, have “merged potential fixes, and have marked our report as resolved” but the bug will continue to affect Safari 15 users until changes are released.