Safari 15 bug leaks browsing activity on iPhone, iPad, and Mac devices

safari 15 apple image gadgets 360 1642424072062

We all could do better at keeping our private data and online accounts secure. There are only so many things we can do when software makes us more vulnerable to serious threats. FingerprintJS, a fraud prevention service, reported last Friday that Safari 15 could leak browsing activity and personal information (via ). This bug affects Safari on macOS as well as all browsers on iOS and iPadOS. You are at risk if you have an Apple device.

Safari bug leaks browsing activity, personal data and other information

FingerprintJS points out that the vulnerability was caused by Apple’s Safari implementation of the IndexedDBAPI. IndexedDB stores data as you browse and follows the same-origin policy. This policy makes sure that documents and data from one website cannot be seen by others.

Safari 15 is in violation of the same-origin policy. Safari 15 violates the same-origin policy by creating a new empty database every time a Safari website interacts with it. You can view the names of other databases created by Safari on the websites you visit.

This is a cause for concern. But it gets worse. FingerprintJS also noted that certain websites use unique identifiers within their database names. Websites that access your Google account (e.g. YouTube, Google Calendar, and Google Keep) create databases that contain a valid Google User ID. Websites that are malicious can see your ID and can use it to link multiple accounts.

What can you do for your data protection?

FingerprintJS scanned the homepages of Alexa’s top 1000 most popular sites to determine the severity of the bug. FingerprintJS found that more than 30 sites “interact directly with indexed databases on their homepages, without the need for additional user interaction or authentication.” This is especially true when users start visiting other pages and interacting with the site.

You’re in luck if you don’t understand how this bug works. The company has created a demo to show you how data is being leaked between origins in your browser. Safari 15 for macOS, and almost any browser running on iOS 15 or iPadOS 15 are supported browsers. Apple requires that all mobile browsers use the WebKit engine. This makes them all vulnerable.

The bad news is you cannot avoid the bug until Apple fixes it. Apple is reportedly working on a solution as of Sunday. Apple has acknowledged that FingerprintJS reported the issue, but it has not yet released the fix to users. It might be a good idea to use another browser while you wait for the fix to be released. For those who use iOS or iPadOS devices, we will have to stay away from malicious websites until Apple fixes the bug.

Get latest news from African Startup ecosystem

Latest stories

You might also like...