A Vulnerability In Apple’s Safari Leaks Visited Websites And User IDs

Researchers have found a vulnerability in Apple’s Safari 15 browser, which allows websites to spy on browsing activity or other personal information. The anomalous behavior was identified by FingerpintJS, a browser fingerprinting service.

The problem lies in Apple’s implementation of IndexedDB. Websites can use the interface to create databases in the browser, store data in them and then retrieve them again. The same-origin policy actually ensures that only the domain with which the database was created can access it.

However, when a webpage interacts with a database on Safari 15 on macOS or any browser on iOS or iPadOS, “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.” — FingerprintJS explains. This means other websites can see the name of the database created by other websites.

The databases leaked in this way allows untrusted or malicious websites to “learn what websites the user visits in different tabs or windows.” The problem with this Safari bug goes beyond a clear violation of the user’s private data.

In addition, the databases may also contain personal information such as a user ID. Google, for example, handles it this way, explains the fingerprinting service provider. If users use their Google account on websites such as YouTube or Google Calendar, the unique, internal user ID is entered in the database name — which can be retrieved from other websites through the security gap.

With Google’s user ID, publicly visible information could be queried via an API. This means that a website could find out the identity of the user, explains FingerprintJS. In addition, several different accounts of a user could be linked. Apart from Google, a number of other websites would also name the databases with unique user IDs, including advertising networks.

FingerpintJS has also made a proof-of-concept that demonstrates the bug works and can be tested on Safari 15 or later on Mac, iPhone and iPad.

The vulnerability was reported on November 28, 2021, in the WebKit Bug Tracker, Safari’s browser engine. There is no update to date. 

To prevent the vulnerability from being exploited, users can either disable Javascript or switch to another browser such as Firefox, Brave or Chrome under MacOS. Since all browsers on iOS 15 and iPadOS 15 have to fall back on Apple’s browser implementation, there is no corresponding alternative here.

Bhasker Das
Bhasker Das
Bhasker Das, with a master's in Cybersecurity, is a seasoned editor focusing on online security, privacy, and protection. When not decrypting the complexities of the cyber world, Anu indulges in his passion for chess, seeing parallels in strategy and foresight.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More from this stream