Safari bug has been revealing people’s browsing history and personal information for months

The bug could expose users Google User ID from websites like YouTube, Google Calendar, or Google Keep.

Adam Smith
Monday 17 January 2022 12:39 GMT
Comments
(Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Apple’s Safari browser has a vulnerability in it that could expose users’ browsing history and personal information.

The bug, which was introduced in Safari 15, as reported by FingerprintJS, came from the Indexed Database API which is part of Apple’s WebKit. The API is used to save data on websites users have visited so they can be loaded faster when they return.

IndexedDB should stop data from one origin from interacting with data from other origins. But the bug means that was not happening.

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session”, software engineer Martin Bajanik said.

This, Mr Bajanik continues, “lets arbitrary websites learn what websites the user visits in different tabs or windows. This is possible because database names are typically unique and website-specific”. Sometimes, this includes unique user-specific information that would let people be precisely identified after using YouTube, Google Calendar, or Google Keep, for example.

“All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts”, he says.

The leaks do not require specific user action – so there is little a user can do to stop it – and out of the top 1000 most visited websites over 30 were vulnerable due to this flaw including Instagram, Netflix, Twitter, and Xbox.

Unfortunately, users of Safari, iPadOS and iOS users cannot stop this without taking “drastic measures”, such as blocking all JavaScript – a move which would unfortunately make modern web browsing “inconvenient”.

Moreover, while Safari users on Macs could use a different browser, all browsers on iOS and iPadOS use Apple’s WebKit – including competitors such as Google Chrome – making switching impossible.

Apple did not respond to a request for comment from The Independent before time of publication. FingerprintJS reported the leak to the WebKit Bug Tracker on 28 Novemember 2021, but Apple has not yet updated Safari.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in