Apple’s Safari 15 has security flaw that leaks browsing activity, personal identifiers

According to the researchers, the private mode viewing in Safari 15 browser is also suspected to be affected by the vulnerability.

A software bug introduced in Safari 15’s implementation of the IndexedDB API lets any website track your internet activity. (Image credit: Apple)

Apple’s Safari 15 browser has a serious vulnerability that could let any website track your internet activity and reveal your identity on macOS, according to a new report. On iOS and iPadOS 15, the flaw seems to be impacting all browsers as the WebKit engine is impacted and it is used by browsers built for these systems.

Researchers at FingerprintJS, a browser fingerprinting and fraud detection service, revealed that Apple’s implementation of IndexedDB has caused this software bug. An IndexedDB is a browser application programming interface (API) designed to hold significant amounts of data. It is supported in all major browsers including Chrome and is very commonly used.

However, Apple’s implementation of IndexedDB enables an attacker to gain access to a user’s browsing activity or identity attached to their Google account. According to the researchers, the private mode viewing in Safari 15 browser is also suspected to be affected by the vulnerability. The vulnerability enables others to know what websites you are visiting in different tabs or windows.

Additionally, it also exposes a user’s Google User ID to websites other than those where one has logged in with their Google account. This is problematic because the Google User ID is an internal identifier that has been generated by Google. It can be used with Google APIs to fetch public personal information of the account owner, according to the researchers.

FingerprintJS claims that the number of websites that can interact and gain access to users’ browsing activity and personal data is significant. It has also created a demonstration page showing how the leak works.

The report said that more than 30 websites interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate. “We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page,” said the FingerprintJS team.

So what can users do to protect themselves? “Unfortunately, there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted. This makes modern web browsing inconvenient and is likely not a good solution for everyone. Another alternative for Safari users on Macs is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected,” the researchers added.