August 13, 2022
Safari 15 security flaw detected that could leak your browsing activity, personal identity


A vulnerability has been found in Safari 15 that is leaking your browsing activity and even allowing bad actors to know your identity. This problem appears due to a bug introduced in the implementation of IndexedDB, which acts as an application programming interface (API) to store structured data. Users of the latest version of macOS as well as iOS and iPadOS are affected by the vulnerability. Although macOS users can remove the effect by switching to a third-party browser, users with an iPhone or iPad have no such solution at this time.

in the beginning informed of By 9to5Mac, browser fingerprint and fraud detection firm FingerprintJS has discovered an IndexedDB vulnerability affecting Safari 15. API follows the same origin policy This is to restrict documents and scripts loaded from one origin to interact with resources from the other origin. It helps a web browser to secure your session in one tab from the website you accessed on another tab.

However, researchers at FingerprintJS have found that Apple’s implementation IndexedDB Violates policy. The result is that an attacker can exploit this to gain access to your browsing activity or the identity associated with your Google Account.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs and windows within the same browser session,” the researchers said. Told Explaining the vulnerability.

The flaw allows hackers to know which websites you are visiting in different tabs or windows. It also exposes your Google user ID to websites other than those where you have logged in with your Google Account. Google User ID allows websites to access your personal identifiers, including your profile picture. Eventually, hackers can take advantage of a Safari vulnerability to see those identifiers.

FingerprintJS claims that the browsing activity of users and the number of websites interacting with and accessing personal identifiers can be significant. A proof-of-concept has also been made public by the researchers to demonstrate the flaw.

You can use the Safari 15 demo on your Mac, iPhone or iPad to see the vulnerability. It currently explores popular sites including Alibaba, Instagram, Twitter and Xbox to suggest how databases from one site may be leaked to others. However, the problem is not limited to these and can affect users visiting other sites as well.

Users switching to private mode in Safari 15 can reduce the amount of information available through leaks because private browsing sessions on the browser are limited to a single tab. However, if you visit multiple websites one after the other in the same tab, you will leak your data.

Mac users, however, can switch to a third-party browser like Google Chrome or Mozilla Firefox to fix the security flaw.

However, on iOS, this problem is not limited to Safari and cannot be resolved by moving to Chrome or any other third-party browser. This is because Apple does not allow the iOS web browser to use third-party browser engines on the iPhone and iPad.

Users can limit data leakage by disabling JavaScript on their browser for some time. But it will affect their experience as most of the sites nowadays use JavaScript to provide modern browsing.

FingerprintJS reported the issue to the WebKit bug tracker on 28 November. However, the flaw still exists.

Gadgets 360 has reached out to Apple for a comment on the vulnerability and whether it is working on a fix. This article will be updated when the company responds.

Vulnerabilities affecting Safari are nothing new. Last year, Apple had to re-release its browser to fix security issues and bugs introduced by previous updates. Latest Safari Build (Version 15.2) which was also released in December fixed Six known WebKit security issues that existed in previous versions and could have allowed attackers to gain access to user data maliciously.


Leave a Reply

Your email address will not be published.