Apple browser bug could lead to personal data leak
A vulnerability in the Safari 15 browser allows malicious programs to track people’s internet activity and reveal their identity
A recently disclosed Apple Safari 15 bug can be used by nefarious sites to extract people’s browsing history and obtain their Google ID to collect more personal data, a fraud detector reports.
The problem identified by FingerprintJS, a browser fingerprinting fraud detection service, resides with IndexedDB – an application programming interface, or API, used to store large amounts of data on a browser.
Normally, such data collecting interfaces operate within the ‘same-origin’ policy: they only allow websites a person interacts with to access data generated by each such website itself but not the other ones. For example, if a person opens their email account in one browser tab and another webpage in the second one, this webpage would not be able to access any email-related data.
When it comes to Safari 15, though, this is not the case. Due to Apple’s application of the IndexedDB API, each time a website interacts with the browser database, a new database of the same name is created for all other active tabs. That means that each such site can access database names for all other sites a person interacts with at the same time.
This can be particularly disturbing when a person interacts with some web pages requiring some personal data like YouTube or Google accounts. Any Google ID-linked pages create databases with a person’s unique Google User ID in their names, which are then de-facto shared with all other websites a person opens and can thus be potentially exploited by nefarious actors, including to obtain more personal data once they know the Google ID.
MacOS owners can potentially just use a browser other than Safari to get around the bug but there is little iPhone and iPad owners can do since Apple’s third-party browser engine ban on all iOS devices means all browsers are affected. Private mode on Safari 15 is affected as well.
FingerprintJS even created a special demo to show how website data, browsing history and personal data are collected by Safari in a way that reveals a person’s internet profile picture. It also said it reported the issue to the WebKit Bug Tracker on November 28, but no updates to fix the issue have been released as of yet. Apple also has not answered media requests for comment so far.
The problem identified by FingerprintJS, a browser fingerprinting fraud detection service, resides with IndexedDB – an application programming interface, or API, used to store large amounts of data on a browser.
Normally, such data collecting interfaces operate within the ‘same-origin’ policy: they only allow websites a person interacts with to access data generated by each such website itself but not the other ones. For example, if a person opens their email account in one browser tab and another webpage in the second one, this webpage would not be able to access any email-related data.
When it comes to Safari 15, though, this is not the case. Due to Apple’s application of the IndexedDB API, each time a website interacts with the browser database, a new database of the same name is created for all other active tabs. That means that each such site can access database names for all other sites a person interacts with at the same time.
This can be particularly disturbing when a person interacts with some web pages requiring some personal data like YouTube or Google accounts. Any Google ID-linked pages create databases with a person’s unique Google User ID in their names, which are then de-facto shared with all other websites a person opens and can thus be potentially exploited by nefarious actors, including to obtain more personal data once they know the Google ID.
MacOS owners can potentially just use a browser other than Safari to get around the bug but there is little iPhone and iPad owners can do since Apple’s third-party browser engine ban on all iOS devices means all browsers are affected. Private mode on Safari 15 is affected as well.
FingerprintJS even created a special demo to show how website data, browsing history and personal data are collected by Safari in a way that reveals a person’s internet profile picture. It also said it reported the issue to the WebKit Bug Tracker on November 28, but no updates to fix the issue have been released as of yet. Apple also has not answered media requests for comment so far.
AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
