A bug found in Apple’s Safari 15 can leak a user’s web browsing activity and potentially their identity. The vulnerability was first revealed by FingerprintJS which is a fraud detection service. Their report points out that the bug is in Safari’s implementation of the IndexedDB API. It enables any website you interact with, to collect your browsing history and your identity.
What Exactly is IndexedDB?
In simple terms, it’s a small API that stores a significant amount of data. This data is used in all major web browsers and Safari is no exception. Additionally, the API collects information about how you interact with a website and stores it in a database.
However, the important thing here is that IndexedDB follows the same-origin policy. This is a security mechanism that restricts one database from interacting with another. This means, If data is collected by one website, it cannot be accessed or used by another.
Safari 15 runs on WebKit which is Apple’s very own web browser engine. However, the IndexedDB API in WebKit violates the same-origin policy. Here’s how the bug works.
Whenever a user interacts with a website, it creates a new database with the same name in every open tab or active frame. Now, normally these other tabs should not be able to access the databases that don’t correspond with them. But the bug lets them bypass this restriction.
How Bad Is This?
This is where things take a turn for the worse! Apple users who prefer using Google Chrome over Safari aren’t safe either. Since Apple has a third-party browser engine ban in effect, all other browsers have to be built on WebKit to be available on the App Store. This means that every web browser is compromised.
Lastly, some websites have user-specific identifiers in database names. Websites like YouTube and Google Calendar use authenticated Google User ID which will also become vulnerable to the IndexedDB bug. This means that Google users can potentially have their identity leaked to untrusted or malicious websites.
FingerprintJS carried out a test to check how many websites used the IndexedDB API. It was revealed that 30 out of Alexa’s 1000 most visited websites used the API on just their home page. However, in real-world scenarios, this number would be even higher. This is because websites can interact with databases on their sub-pages and after a specific action is triggered.
Some of these websites are:
- Google Calendar
- Huffington Post
So, How Do I Protect Myself?
The short answer is; You Can’t!
Safari’s Private Browsing isn’t safe either. Although browsing sessions in Private Browsing mode are limited to one tab, the data leak is restricted. But, this doesn’t apply to subsequent websites opened in the same tab.
The only protection method is to update your browser or OS when Apple addresses the issue and rolls out a security fix.
Do you have any concerns regarding the Safari 15 bug? Let us know in the comments below!