Safari bug could reveal your browsing history on Mac, iPhone or iPad

A bug in Apple’s Safari browser could reveal your recent web history and potentially your identity to any website you use. And while Mac users can simply switch to another browser, iPad and iPhone users are out of luck as each alternative browser is impacted as well.

In one blog post Published on Friday, browser fingerprinting service FingerprintJS explained the root of the problem, which affects Safari 15 for Mac and all versions on iOS 15 and iPadOS 15.

It all relates to how WebKit implements a JavaScript API called IndexedDB. The bug, which was reported to WebKit on Nov. 28, means that while a website should only be able to see IndexedDB databases it has created, it can actually see those generated by any website. during the user’s browsing session.

Since these entries are often unique to each website, it means that a site can determine which other pages you visit in different tabs or windows. “A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user is visiting in real time,” the post explains. “Alternatively, websites can open any website in an iframe or popup to trigger an IndexedDB-based leak for that specific site.”

As some websites also create user-specific identifiers in IndexedDB database names, this also means that malicious actors could use the exploit to determine the identity of a seemingly anonymous browser.

In the video below, FingerprintJS uses YouTube as an example. Once logged in, the ID is modified to include a string that, with a bit of legwork, can be linked to a specific person:

IndexedDB databases can be accessed without any user intervention, the post adds, and enabling private browsing mode won’t close the flaw either.

An analysis of Alexa’s top 1,000 pages found that more than 30 “interact with indexed databases directly on their home page, without any additional user interaction or need to authenticate.”

That doesn’t sound too bad, but FingerprintJS thinks it’s worse than it looks. “We suspect this number is significantly higher in real-world scenarios, as websites may interact with databases on subpages, after specific user actions, or on authenticated parts of the page,” continues the message.

Until a fix is ​​released, Mac users can simply switch to another browser, but a similar fix isn’t available to worried iPhone and iPad owners because Apple requires all browsers use WebKit on their mobile platforms, which means Chrome and Firefox are also affected.

“One option may be to block all JavaScript by default and only allow it on trusted sites,” the blog post explains, but adds that it makes web browsing “inconvenient.”

“The only real protection is to update your browser or operating system after the problem has been fixed by Apple,” the message concludes. “In the meantime, we hope this article will raise awareness of this issue.”