NewsOnline Security

Safari Browser Bug Leaks Your Web Activity, Identity

A bug in Apple’s newest web browser Safari 15 has left the tech giant red-faced. According to FingerprintJS, this bug can expose users’ sensitive data, including their online identity and real-time activities. So macOS, iOS 15, and iPadOS 15 users better beware because the news affects all of them, even those who don’t use Safari.

And the worst part is that there isn’t much you can do about it except wait for Apple to release a patch or update. The company started working on the fix, though.

Safari 15 Bug in a Nutshell

FingerprintJS explained in a blog post that Safari 15 contains a software bug that allows websites to exploit user data. The vulnerability comes from Apple’s implementation of a JavaScript API called IndexedDB, used in the Safari browser.

IndexedDB follows the same-origin policy, which states that one origin cannot interfere with data collected from another source. In other words, the website you visit can only access information that it generates.

For example, if you open your bank account in one tab, then visit a malicious website in another, the harmful page cannot put its hands on your banking info, thanks to the same-origin policy. However, Apple’s use of the API actually violates the latter. Here’s what the good folks down at FingerprintJS discovered:

Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.

FingerprintJS

It means hackers and other online criminals can exploit this weakness to steal valuable user data.

Bug Leads to Leaks

Your identity, online activities, and other personal information are among the data that could be leaked to third parties. Websites with access to your Google accounts, like YouTube or Gmail, have databases with unique Google User IDs.

This allows the company to access some of your public information, including your profile picture. As a result, bad actors can put a face to the name and link your ID to other accounts.

Who’s at Risk? Can You Avoid the Issue?

Unfortunately, the bug doesn’t just affect Safari users. Due to Apple’s ban on third-party browsers on iOS, all browsers must use the vulnerable Webkit engine. So even if you use Chrome or Firefox on any iOS 15 or iPadOS 15 device, you’re going to get bitten by the bug.

Only Mac users with Safari 15 can safely switch to other browsers. As for the rest, there’s nothing much you can do except wait for the new update. Apple started working on fixing the problem and recently marked the issue presented by FingerprintJS as resolved. But there have been no Safari 15 patches as of yet.

You can visit the demo page that FingerprintJS created to discover if your browser was affected. The demo shows how “any website can learn a visitor’s recent and current browsing activity (websites visited in different tabs or windows) using this leak.

Safari 15 Bug Briefly Explained

Check out FingerprintJS’s summary on the whole Safari 15 fiasco and how it can leak your sensitive data.

Ralph Peterson

Ralph was bitten by the tech bug from an early age. Today, he is an expert cybersecurity geek with 13+ years of online privacy and streaming experience under his belt. Spoiler alert: He hates bottled TV show endings (Game of Thrones) and whenever his favorite teams lose.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button