Apple’s Safari browser is convenient and fast, which is why it is popular among iPhone and Mac users. But you may want to avoid using it for some time. A
new security bug was found in Safari and it could reveal the browsing history and the user identity to websites, including ones that may be operated by
hackers. And since Apple has not taken note of the bug yet, it is not safe to use Safari until a fix has arrived.
According to a blog post on a website called FingerprintJS, the Safari browser’s version 15 has a bug in its implementation of IndexedDB API that lets any
website track a user’s internet activity and reveals their identity to practically anyone that has tools to access the database. So, any website that uses the
IndexedDB service to access the names and information stored in the IndexedDB databases generated by other websites during a browsing session.
IndexedDB is an implementation of the JavaScript API by Apple’s WebKit service, which nearly all browsers that work on iOS, iPad, and macOS use to
function.
To put it simply, the bug practically gives a website that uses Safari’s IndexedDB service to store information about a particular browsing session access to the
information that other similar websites store using the same IndexedDB service. And this is concerning because your data may reach anywhere and can be
used in numerous ways. For websites such as Facebook, this information is like a jackpot, while a website that has malicious code in it and is used by hackers
to target victims will be able to siphon off all the information.
The data is exposed during a browsing session, so the information from all the websites that you open in different tabs or windows is accessible to a website.
But this should not happen because, ideally, the IndexedDB data of a website during a browsing session is unique and specific to each website. A website
should be able to access its own IndexedDB database in an ideal situation. So, you see the bug is rendering the databases of all websites prone to viewing by
other websites.
“A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in
real-time,” said the blog post. “Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for
that specific site.”
READ MORE: How to Get Overwatch League Tokens and New Overwatch Skins
HIGHLIGHTS
A flaw exists in Apple’s Safari browser’s WebKit service.
The flaw makes sensitive information and user data accessible to any other website.
Avoid using Safari at this time since Apple has not yet taken notice of the matter.
Some websites, like YouTube, employ specific user identifiers in the names of their IndexedDB databases. Under the instance of YouTube, it makes a database
with details about a user’s verified Google account in the name. This Google ID can be used in conjunction with other Google APIs to access user data from
other websites, such as their profile picture. And if a hacker managed to get their hands on this data, they could use or sell it for evil purposes in addition to
being able to identify a person, which is an ideal world that is not easy to achieve. The flaw, according to the blog post, affects all Safari versions on iPhone and iPad
models running iOS 15 and iPad 15, as well as Safari 15 for Mac. Not only that, but it also affects iOS 15 and iPad OS 15’s Chrome browser. Why? Because both
Safari and Chrome employ Apple’s open-source WebKit browser engine, the problem affects those browsers. Even the Private or Incognito modes are
ineffective. Use a different browser on your Mac unless Apple acknowledges the problem, which they haven’t done yet, and then releases a remedy. There is
virtually no other option for users of iPhones and iPods because all of their browsers utilize WebKit, and WebKit has the problem.
