The findings of browser fingerprinting service FingerprintJS reveal a critical bug in Apple’s Safari 15. The company disclosed this information in its blog post. Not only the bug might expose your browser history, but it might also expose certain personal information associated with your Google account too. A flaw in Apple’s implementation of IndexedDB is at the basis of this vulnerability.
For those who aren’t tech-savvy, IndexedDB is an application programming interface (API). It stores user data on your browser. The issue, according to FingerprintJS, is WebKit’s implementation of IndexedDB. It might reveal your recent browsing history and your identity.
IndexedDB follows the same-origin policy. Therefore it prevents data of one origin from interacting with data from other sources. In other words, only the website that creates a set of data should have access to that data. In addition, the discovery of the bug indicates that Apple’s implementation of the IndexedDB API in Safari 15 breaks the same-origin policy.
How does the vulnerability occur?
When a website interacts with the Safari database, it creates a new database with the same name. It happens in all open tabs, frames, and windows in the same browser session or application. As a result of the defect, other websites can now view the names of databases established on other sites. It includes information about a user’s identity too.
To provide better clarity to the users, Fingerprint JS created a real-time demo. The video displayed the effect of this bug. You can see the vulnerability in effect when you open the demo link on Safari 15 and above. For this you either need a Mac, iPhone, or iPad.
It’s also worth noting that in impacted Safari versions, private browsing mode does not protect against the problem. Therefore, there are not many remedial measures that you can take. Users have contacted Apple to check whether a repair is in the works. They will have to wait for Apple to provide software upgrades to fix the flaw.
In the interim, Safari 15 users on the Mac can temporarily switch to another browser. However, iPhone or iPad does not allow this because the WebKit flaw affects all browsers on those devices.