Safari 15 bug lets sites spy on your browsing activity and personal data

Just days after Apple patched a bug that could allow a hacker to send your iPhone into an endless loop of crashes, FingerprintJS has uncovered a Safari vulnerability that could expose your internet activity and personal data to an open website.

The bug originates in the IndexedDB API, which is used for client-side storage of significant amounts of structured data, according to Mozilla. As FingerprintJS explains, since IndexedDB is a low-level API used by all major browsers, many developers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”

As such, Safari’s version of IndexedDB is violating the same-origin security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins, according to FingerprintJS. Consequently, arbitrary websites could spy on the other websites a user visits in different tabs or windows.

This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT— Jake Archibald (@jaffathecake) January 16, 2022Since some websites use unique user-specific identifiers in database names, FingerprintJS explains that authenticated users can be “uniquely and precisely identified” by sites such as YouTube, Google Calendar, and Google Keep. And since you’ll be logged in to those sites using your Google ID, the databases created for that account could be leaked, which include personal information. FingerprintJS uncovered several other sites vulnerable to the bug, including Twitter and Bloomberg.

You can see the bug in action using a demo created by FingerprintJS. The only known mitigation is to change browsers on macOS. iOS and iPadOS users have fewer options due to Apple’s handling of browser engines, though FingerprintJS notes that users could block all JavaScript by default and only allow it on trusted sites. That, or just wait for an update to arrive. Apple is currently preparing iOS 15.3 and macOS 12.2 for release, but it’s unclear if it includes a Safari fix.