Safari bug has been revealing people’s browsing history and personal information for months

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Apple’s Safari browser has a vulnerability in it that could expose users’ browsing history and personal information.

The bug, which was introduced in Safari 15, as reported by FingerprintJS, came from the Indexed Database API which is part of Apple’s WebKit. The API is used to save data on websites users have visited so they can be loaded faster when they return.

IndexedDB should stop data from one origin from interacting with data from other origins. But the bug means that was not happening.

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session”, software engineer Martin Bajanik said.

This, Mr Bajanik continues, “lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific”. Sometimes, this includes unique user-specific information that would let people be precisely identified after using YouTube, Google Calendar, or Google Keep, for example.

“All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts”, he says.

The leaks do not require specific user action – so there is little a user can do to stop it – and out of the top 1000 most visited websites over 30 were vulnerable due to this flaw including Instagram, Netflix, Twitter, and Xbox.

Unfortunately, users of Safari, iPadOS and iOS users cannot stop this without taking “drastic measures”, such as blocking all JavaScript – a move which would unfortunately make modern web browsing “inconvenient”.

Moreover, while Safari users on Macs could use a different browser, all browsers on iOS and iPadOS use Apple’s WebKit – including competitors such as Google Chrome – making switching impossible.

Apple did not respond to a request for comment from The Independent before time of publication. FingerprintJS reported the leak to the WebKit Bug Tracker on 28 Novemember 2021, but Apple has not yet updated Safari.