A bug discovered in Safari 15 could be leaking information about the sites you visit online. Worse yet, it could be exposing your unique Google ID and profile information.
As reported by 9to5 Mac, the bug was first discovered in late November by FingerprintJS, a Chicago-based firm that specializes in online fraud prevention. According to an announcement published Friday the issue stems from a system that Safari 15 and all other major web browsers use to cache browsing information on your phone, tablet or computer.
It’s called IndexedDB and it’s leaned on heavily by today’s complex websites. Normally, information stored in IndexedDB storage can only be accessed by a web page from the same domain that created it. If Google creates it, for example, the information cached there can only be accessed by another Google web page.
This “same-origin” policy is designed to protect you from malicious sites that may attempt to steal information from your browser.
What FingerprintJS discovered is that the current version of WebKit, the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS, could be tricked into skipping the same-origin check.
What’s so bad about that? Fingerprint JS says that “it lets arbitrary websites learn what websites [you visit] in different tabs or windows.” Furthermore, “[some] websites use unique user-specific identifiers in database names [which] means that authenticated users can be uniquely and precisely identified.”
To demonstrate the bug, FingerprintJS built a website at safarileaks.com. Head on over using the latest version of Safari (or another Webkit-powered browser on your iPhone or iPad) and you’ll see what kind of information IndexedDB leaks.
You may even see your Google profile picture, which can be looked up using an ID attached to certain sites’ IndexedDB caches.
Bug: SquashedFingerprintJS submitted this issue to the WebKit bug tracker on November 28th. Today, they updated their blog post to announce that Apple developers had coded a fix and marked the issue resolved.
The change won’t take effect immediately, however. Updates take time to roll out, and it could be a while before your devices receive the fix.
For now you can protect yourself by using a non-WebKit browser like Firefox on your Mac. On an iPhone or iPad you can temporarily disable Javascript, but expect a lot of features on a lot of websites to break if you do that.
