Apple’s Safari 15 browser contains a vulnerability that could expose users’ Internet activity and identities. fingerprints, a company that develops software to detect online fraud, reports this in a blog. FingerprintJS reported the vulnerability to Apple late last year.
Websites can track users’ online activity
The bug is in Safari’s IndexedDB. This is a browser program intended to store data. The program is supported by all major browsers and contains large amounts of data. Websites use IndexedDB, among other things, to see which pages a visitor opens.
The IndexedDB API uses what is known as the same-origin policy, which means that certain conditions and restrictions apply to data sharing. For example, scripts and documents from one web page can access data on a second web page, but only if the pages come from the same source. This policy prevents websites from accessing sensitive data from other sites.
The vulnerability in the implementation of the IndexedDB api in Safari 15 allows websites to read which other websites the user has visited. Every time a website connects to a database, a new empty database with the same name is created in other tabs and windows in the same browser session.
According to FingerprintJS, this is a violation of the same-origin policy. The service also calls the fact that the database names can be leaked across multiple sources “a clear privacy violation”.
Also to find out the identity of the visitor
Due to the vulnerability, more personal data of a user can be retrieved. FingerprintJS points out that in some cases websites use unique identifiers in database names. Users can therefore be identified very precisely. For example, the flaw allows websites to read the Google User ID of visitors using a Google account.
YouTube also uses a Google User ID. Based on this data, a website operator can access data such as a Google username or a profile picture of the visitor. The administrator can thus discover the identity of a visitor and even link multiple, separate accounts of the same user.
Problem is in multiple browsers on Apple devices
In addition to Safari 15 on macOS, other browsers on the iPhone and iPad are also affected by the bug. This is because Apple forces developers of other browsers to use certain software. The problem can therefore be avoided on a laptop or computer by using a browser other than Safari. Unfortunately, this is not an option on an iPhone and iPad.
The only real protection, according to FingerprintJS, is to update your browser or OS once the problem is resolved. The company disclosed its vulnerability to Apple on November 28 last year. The bug has not been fixed in the meantime.
Catch up on more articles here
Follow us on Twitter here