A bug has been uncovered in Safari 15, the latest versions of Apple’s default search engine, that exposes users’ internet activity and personal data online.
FingerprintJS found the bug and it allows any website using IndexedDB to query the client-side databases created by other websites.
The flaw also lets sites ‘see’ which other websites iOS users are visiting in different tabs or windows.
And because some websites use unique user-specific identifiers in database names, users’ information can be easily accessed.
FingerprintJS points to the fact that YouTube, Google Calendar, and Google Keep are among those sites.
Apple engineers are preparing a fix, according to 9to5Mac, which is expected to be ‘released to users very soon’ – but the tech giant has yet to reveal when.
A bug has been uncovered in Safari 15, the latest versions of Apple’s default search engine, that exposes users’ internet activity and personal data online
‘The fact that database names leak across different origins is an obvious privacy violation,’ FingerprintJS shared in a blog post.
‘It lets arbitrary websites learn what websites the user visits in different tabs or windows.
‘This is possible because database names are typically unique and website-specific. We also observed in certain cases that websites used unique user-specific identifiers within their database names.
‘This means that authenticated users can be uniquely and precisely identified.’
Apple engineers are preparing a fix, according to 9to5Mac , which is expected to be ‘released to users very soon’ – but the tech giant has yet to reveal when
FingerprintJS also checked over 1,000 Alexa-reviewed websites to determine how many sites use IndexedDB. This allows them to be identified uniquely by their interactions with the databases.
These results showed that over 30 websites interacted directly with index databases on their homepage without the need for authentication or additional user interaction.
‘We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page,’ FingerprintJS shared.
Apple acknowledges the bug but there are no protections for users until Apple releases a solution.
FingereprintJS suggests that JavaScript be blocked by default on all sites and allowed only for trusted websites.
Users can also change to another browser until Apple fixes the problem.
‘The only real protection is to update your browser or OS once the issue is resolved by Apple,’ according to FingereprintJS.