• Home
  • Apps
  • Apps News
  • Safari 15 Security Flaw Discovered That Can Leak Your Browsing Activity, Personal Identity

Safari 15 Security Flaw Discovered That Can Leak Your Browsing Activity, Personal Identity

The Safari vulnerability was reported to the WebKit Bug Tracker in November, though Apple has not yet released its fix.

Safari 15 Security Flaw Discovered That Can Leak Your Browsing Activity, Personal Identity

Safari users on Mac are recommended to switch to a third-party browser

  • Safari 15 is found to have poorly implemented IndexedDB API
  • It is leaking browsing activity and personal identity of users
  • iOS and iPadOS users couldn’t protect data even after switching browser

Safari 15 is found to have a vulnerability that is leaking your browsing activity and even allowing bad actors to know your identity. The issue has emerged due to a bug introduced in the implementation of IndexedDB, which works as an application programming interface (API) to store structured data. Users on the latest version of macOS as well as iOS and iPadOS are affected by the vulnerability. Although macOS users can overcome the impact by switching to a third-party browser, users with the iPhone or iPad have no such remedy at this moment.

As initially reported by 9to5Mac, browser fingerprint and fraud detection firm FingerprintJS has discovered the IndexedBD vulnerability impacting Safari 15. The API follows the same-origin policy that is meant to restrict documents and scripts loaded from one origin to be interacted with resources from other origins. This helps a Web browser secure your session in one tab from the website you have accessed on the other tab.

However, the researchers at FingerprintJS have found that Apple's implementation of IndexedDB violates the policy. This results in the loophole that an attacker can exploit to gain access to your browsing activity or identity attached to your Google account.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” the researchers said while explaining the vulnerability.

The flaw allows hackers to learn what websites you are visiting in different tabs or windows. It also exposes your Google User ID to websites other than those where you have logged in with your Google account. The Google User ID allows websites to access your personal identifiers including your profile picture. Eventually, hackers could look at those identifiers by exploiting the Safari vulnerability.

FingerprintJS claims that the number of websites that can interact and gain access to users' browsing activity and personal identifiers can be significant. To demonstrate the flaw, a proof-of-concept has also been made public by the researchers.

You can use the demo on your Mac, iPhone, or iPad that has Safari 15 to look at the vulnerability. It currently detects popular sites including Alibaba, Instagram, Twitter, and Xbox to suggest how the database from one site can be leaked to others. However, the issue is not limited to these and may impact users visiting other sites as well.

Users switching to the private mode in Safari 15 can reduce the extent of information available via the leak as private browsing sessions on the browser are restricted to a single tab. You will, though, end up leaking your data if you visit multiple websites one after another within the same tab.

Mac users can, nevertheless, switch to a third-party browser, such as Google Chrome or Mozilla Firefox, to resolve the security loophole.

However, on iOS, the issue is also not just limited to Safari and cannot be overcome by moving to Chrome or another third-party browser. It is because Apple does not allow iOS Web browsers to use a third-party browser engine on iPhone and iPad.

Users can limit data leak by disabling JavaScript on their browser for the time being. But that will affect their experience as most sites nowadays use JavaScript to provide modern browsing.

FingerprintJS reported the issue to the WebKit Bug Tracker on November 28. The flaw still exists, though.

Gadgets 360 has reached out to Apple for a comment on the vulnerability and whether it is working on a fix. This article will be updated when the company responds.

Vulnerabilities impacting Safari is not something new. Last year, Apple had to re-release its browser to fix security issues and bugs that were introduced by a previous update. The latest Safari build (version 15.2) that was released in December also fixed six known WebKit security issues that existed in the previous versions and could allow attackers to maliciously gain user data access.

Xiaomi India speaks exclusively to Orbital, the Gadgets 360 podcast, on their plans for 2022 and pushing for 120W fast charging with the 11i HyperCharge. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Oppo Reno 6 Lite With Snapdragon 662, 48-Megapixel Triple Cameras Launched: Price, Specifications
Share on Facebook Gadgets360 Twitter Share Tweet Snapchat Share Reddit Comment google-newsGoogle News


Follow Us
© Copyright Red Pixels Ventures Limited 2024. All rights reserved.
Trending Products »
Latest Tech News »