We could all do a better job of keeping our online accounts and private data secure. Unfortunately, there’s only so much that we can do when the software we use leaves us vulnerable to major threats. For example, last Friday, the fraud prevention service FingerprintJS detailed a bug in Safari 15 capable of leaking browsing activity and personal data (via 9to5Mac). This bug affects the Safari on macOS, as well as every browser on iOS and iPadOS. If you own an Apple device, you’re at risk.
Safari bug leaks browsing activity and personal data
As FingerprintJS explains, the vulnerability is a result of Apple’s implementation of the IndexedDB API in Safari. IndexedDB stores data while you browse, and is meant to follow the same-origin policy. This policy ensures that data and documents from one website can’t be seen by another.
Safari 15 violates the same-origin policy. When a website you visit on Safari interacts with a database, “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.” The database names Safari creates are now leaking across origins. Websites you visit can see the names of the other databases that have been created.
This is cause for concern, but it gets worse. FingerprintJS also notes that some websites have unique identifiers in their database names. Websites that use your Google account, such as YouTube, Google Calendar, or Google Keep, create databases that include an authenticated Google User ID. Malicious websites can not only see your ID, but can also use it to link together multiple accounts.
What can you do to protect your data?
To measure the severity of the bug, FingerprintJS checked the homepages of Alexa’s top 1000 most visited sites. More than 30 of those sites “interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate.” In reality, the number is likely far higher, especially when users begin visiting other pages or interacting with the site.
If you can’t quite wrap your head around how this bug works, you’re in luck. The company put together a demo that will show you exactly how the data is leaking between origins in your browser. Supported browsers include Safari 15 on macOS and virtually any browser on iOS 15 or iPadOS 15. Apple requires all browsers on its mobile devices to use the WebKit engine, which means they’re all vulnerable.
The bad news is that there’s nothing you can do to avoid this bug until Apple fixes it. The good news is that Apple has reportedly started working on a fix as of Sunday. Apple has marked the report from FingerprintJS as resolved, but the fix hasn’t actually been released to end users yet. Until then, it might be best to use another browser on your macOS computer. As for those of us on iOS or iPadOS devices, we’ll just have to avoid any malicious sites until Apple rolls out a bug fix.