Safari 15 Security Flaw Discovered That Can Leak Your Browsing Activity, Personal Identity

Safari 15 is found to have a vulnerability that is leaking your browsing activity and even allowing bad actors to know your identity. The issue has emerged due to a bug introduced in the implementation of IndexedDB, which works as an application programming interface (API) to store structured data. Users on the latest version of macOS as well as iOS and iPadOS are affected by the vulnerability. Although macOS users can overcome the impact by switching to a third-party browser, users with the iPhone or iPad have no such remedy at this moment.

As initially reported by 9to5Mac, browser fingerprint and fraud detection firm FingerprintJS has discovered the IndexedBD vulnerability impacting Safari 15. The API follows the same-origin policy that is meant to restrict documents and scripts loaded from one origin to be interacted with resources from other origins. This helps a Web browser secure your session in one tab from the website you have accessed on the other tab.

However, the researchers at FingerprintJS have found that Apple's implementation of IndexedDB violates the policy. This results in the loophole that an attacker can exploit to gain access to your browsing activity or identity attached to your Google account.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” the researchers said while explaining the vulnerability.

The flaw allows hackers to learn what websites you are visiting in different tabs or windows. It also exposes your Google User ID to websites other than those where you have logged in with your Google account. The Google User ID allows websites to access your personal identifiers including your profile picture. Eventually, hackers could look at those identifiers by exploiting the Safari vulnerability.

FingerprintJS claims that the number of websites that can interact and gain access to users' browsing activity and personal identifiers can be significant. To demonstrate the flaw, a proof-of-concept has also been made public by the researchers.

You can use the demo on your Mac, iPhone, or iPad that has Safari 15 to look at the vulnerability. It currently detects popular sites including Alibaba, Instagram, Twitter, and Xbox to suggest how the database from one site can be leaked to others. However, the issue is not limited to these and may impact users visiting other sites as well.

Users switching to the private mode in Safari 15 can reduce the extent of information available via the leak as private browsing sessions on the browser are restricted to a single tab. You will, though, end up leaking your data if you visit multiple websites one after another within the same tab.

Mac users can, nevertheless, switch to a third-party browser, such as Google Chrome or Mozilla Firefox, to resolve the security loophole.

However, on iOS, the issue is also not just limited to Safari and cannot be overcome by moving to Chrome or another third-party browser. It is because Apple does not allow iOS Web browsers to use a third-party browser engine on iPhone and iPad.

Users can limit data leak by disabling JavaScript on their browser for the time being. But that will affect their experience as most sites nowadays use JavaScript to provide modern browsing.

FingerprintJS reported the issue to the WebKit Bug Tracker on November 28. The flaw still exists, though.

Gadgets 360 has reached out to Apple for a comment on the vulnerability and whether it is working on a fix. This article will be updated when the company responds.

Vulnerabilities impacting Safari is not something new. Last year, Apple had to re-release its browser to fix security issues and bugs that were introduced by a previous update. The latest Safari build (version 15.2) that was released in December also fixed six known WebKit security issues that existed in the previous versions and could allow attackers to maliciously gain user data access.