Apple’s catchphrase for Safari, the Cupertino-based tech giant’s default browser, is “Blazing Fast. Incredibly Private.” We can’t contest the former, but the latter is questionable due to a new privacy-infiltrating bug spotted in macOS, iOS and iPadOS.
FingerprintJS, a tech startup that builds open-source fingerprinting APIs for preventing online fraud, recently published a blog post revealing that Safari 15 has a vulnerability that enables websites to track users’ internet activity and unveil their identity.
Safari 15 bug leaks users’ online digital trail
Ideally, websites should only “see” the names of databases for its own domain — not others. Unfortunately, this isn’t the case with Safari 15; websites can use this exploit to track other webpages its visitors are exploring.
Let’s use Google as an example since it keep tabs of account holders by storing an IndexedDB of each user. Let’s say you’re watching videos on YouTube. If you launch a new website that uses IndexedDB, it will be able to detect that you’re visiting the video-sharing website.
“The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows,” FingerprintJS said.
Adding salt to our wounds, FingerprintJS added that if you’re logged into your Google account, websites can also see your unique Google user ID and photo (if you’ve uploaded one for your account). A malicious actor can retrieve your avatar and use an image search engine to unveil your identity.
FingerprintJS reported the issue to Apple in late November. Apple engineers worked on the security vulnerability on Jan. 16 and marked FingerprintJS’ bug report as resolved. However, a fix hasn’t been released yet and the flaw “continues to persist for end users,” the blog post said.
To see the vulnerability in action for yourself, you can run a proof-of-concept live demo. As mentioned, the vulnerability affects Safari 15 on macOS, iOS and iPadOS 15.