According to a report by FingerprintJS, the Safari web browser has a significant issue that allows unauthorised individuals and even Google User IDs to access a user’s browsing history. Since this flaw was discovered, Apple has been working on a patch that should be available soon.
WebKit, the software that makes Safari work, has a change on GitHub that shows Apple is already working on a fix for the bug that lets users’ data get out. If you don’t know what WebKit is, it is Apple’s browser engine that powers Safari and other web browsers, like Chrome. It’s because WebKit is an open-source engine that updates about the bug can now be seen on GitHub.
The issue was detected while implementing IndexedDB, a Javascript API for storing data. Websites that are bad can use the loophole to see the URLs that a person has recently visited and even get your Google user name, which can be used to find out more about you.
According to FingerprintJS, the IndexedDB API violates the same-origin restriction in Mac Safari 15 and all iOS and iPadOS browsers. To avoid this, FingerprintJS’s article explains that a website should always use the same database name in all active frames, tabs, and windows within the same browser session. Windows and tabs normally share a session unless you switch profiles (in Chrome) or establish a private window (in Firefox).
Database identities leaking across origins is a clear privacy infringement. It lets arbitrary websites learn which tabs or windows the user visits. Database names are often unique and website-specific. FingerprintJS also noticed websites using unique user-specific identifiers in database names. Authenticated users can thus be identified exactly. YouTube, Google Calendar, and Google Keep are popular examples. If the user is logged into numerous accounts, databases are built for each one.
You can try out a demo by FingerprintJS to see the extent to which the Safari bugs causes leaks to websites. Note that “the supported browsers are Safari 15 on macOS, and essentially all browsers on iOS 15 and iPadOS 15”.
To now, Apple hasn’t said when the patch will be made available to the public. However, MacRumors says that Apple needs to release new versions of iOS 15 and macOS Monterey to include a new version of Safari that runs on the most up-to-date WebKit engine.
It’s possible that the Safari bug may be fixed in the future beta releases of iOS 15.3 and Mac OS Monterey 12.2. You should know that the version of WebKit that Safari 14 uses, which is used on iOS 14, doesn’t have the bug.
1 Comment
Pingback: Apple cracks down on 'fingerprinting' with new App Store API rules - Innovation Village | Technology, Product Reviews, Business