A bug in Apple’s Safari browser could reveal your recent web history and potentially your identity to any website you use. And while Mac users can simply switch to another browser, iPad and iPhone users are out of luck as each alternative browser is impacted as well.
In one blog post Published on Friday, browser fingerprinting service FingerprintJS explained the root of the problem, which affects Safari 15 for Mac and all versions on iOS 15 and iPadOS 15.
Since these entries are often unique to each website, it means that a site can determine which other pages you visit in different tabs or windows. “A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user is visiting in real time,” the post explains. “Alternatively, websites can open any website in an iframe or popup to trigger an IndexedDB-based leak for that specific site.”
As some websites also create user-specific identifiers in IndexedDB database names, this also means that malicious actors could use the exploit to determine the identity of a seemingly anonymous browser.
In the video below, FingerprintJS uses YouTube as an example. Once logged in, the ID is modified to include a string that, with a bit of legwork, can be linked to a specific person:
IndexedDB databases can be accessed without any user intervention, the post adds, and enabling private browsing mode won’t close the flaw either.
An analysis of Alexa’s top 1,000 pages found that more than 30 “interact with indexed databases directly on their home page, without any additional user interaction or need to authenticate.”
That doesn’t sound too bad, but FingerprintJS thinks it’s worse than it looks. “We suspect this number is significantly higher in real-world scenarios, as websites may interact with databases on subpages, after specific user actions, or on authenticated parts of the page,” continues the message.
Until a fix is released, Mac users can simply switch to another browser, but a similar fix isn’t available to worried iPhone and iPad owners because Apple requires all browsers use WebKit on their mobile platforms, which means Chrome and Firefox are also affected.
“The only real protection is to update your browser or operating system after the problem has been fixed by Apple,” the message concludes. “In the meantime, we hope this article will raise awareness of this issue.”
- Safari bug leaks your Google account information, browsing history
- Safari and iOS users: your browsing activity is disclosed in real time
- Zoom security issues: Everything that’s gone wrong (so far)
- Which iPad should you buy? iPad vs. iPad mini vs. iPad Air vs. iPad Pro