We are reader supported. External links may earn us a commission.

Apps

Newly discovered Safari bug can leak your browsing activity and personal information

You might want to stay away from Safari for now...
By Sanuj Bhatia January 17, 2022, 1:00 am
safari apple Source: Pocketnow

A new bug has been discovered in Apple's Safari web browser that can leak the user's browsing activity and also some of the personal information link to the user's Google account. The bug has been discovered in the Webkit implementation of a JavaScript API in Safari called IndexedDB. It was reported by browser fingerprinting service FingerprintJS on Friday.

IndexedDB is an API that stores data on your browser. This API follows the same-origin policy which means that one origin cannot interact with data that was collected from other origins. The bug targets the vulnerability of IndexedDB API and allows other websites to access the IndexedDB databases generated by other websites during a user's browsing session.

POCKETNOW VIDEO OF THE DAY

This bug can allow websites to track your Google account as well. Google stores an IndexedDB database on Safari by the name of the user's authenticated Google User ID. This identifier can be used with Google APIs to fetch personal information about the user, such as a profile picture, according to FingerprintJS. However, since the IndexedDB is saved with the name of Google User ID, it can be used to reveal a lot of information related to the user's Google account.

This bug affects Safari 15 on all versions of iOS 15, macOS Monterey, and iPadOS 15 as all of these use Apple's open-source WebKit engine. Even third-party web browsers on iOS, including Chrome and Microsoft Edge, are vulnerable to the bug as Apple requires all browsers to use the WebKit website rendering engine on the iPhone and iPad.

FingerprintJS has also shared a live demo of the bug which you can check out below. You can try it out the bug for yourself using this live demo.

The bug doesn't require any user input or any user interaction for a website to access the IndexedDB database generated by other websites. As FingerprintJS' blog post notes, "a tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site."

The bug has to be patched by Apple. Even using the 'Private Window' won't help. If you're running Safari 14, i.e., a previous version of iOS or macOS, the bug won't affect you. And since the bug has been highlighted by a number of users, publications, and cyberactivists, a fix should be coming soon — although Apple is yet to comment on the bug.

If you're a Safari 15 user on macOS, you should temporarily switch to a different browser, for example, Google Chrome or Microsoft Edge. Switching web browsers on iOS and iPadOS won't help as all the web browsers use WebKit rendering engine which is affected by the vulnerability.

Via: MacRumors, The Verge

Search

Latest Articles

iOS

Here's how the Apple iPod changed the world in 21 years

iPod was an industry-changing device at its time, and it had a massive impact on modern smartphones, and the way we listen to music. We take a last look at the now-discontinued Apple iPod and the history it leaves behind.

By Roland Udvarlaki May 11, 2022, 10:00 am
iOS

How to use Mic Modes in VOIP and FaceTime Calls

This guide will go over the steps you need to follow to activate one of the available Mic Mode settings on Apple Devices to begin using the feature and improve your calling experience.

By Aryan Suren May 10, 2022, 10:00 am
Phones

This iPhone 14 feature might urge users to upgrade

Until now, it appeared that iPhone 14 would only be a minor upgrade over the iPhone 13 series. However, a new leak suggests that the iPhone 14 will come with one feature that might urge users to upgrade.

By Sanuj Bhatia May 9, 2022, 5:00 am