Bug in Safari 15 may leak browsing history – no solution

Update (2022-01-19):

Apple is working on fix

Changes to Webkit to address the serious security flaw in Apple’s implementation of the javascript api Indexed DB have appeared on Github, reports Macrumors.

The fix is ​​in a function that lists available databases and is about only listing the databases whose origin (website) is the same as the website that runs the function. If example.com wants to list all available databases, it will only respond to the databases created by example.com and not by, for example, google.com or netflix.com.

As Macrumors points out, Apple can not release an update of only Webkit, but we have to wait for system updates of iOS, Ipad OS and Mac OS.

We can also add that Fingerprint JS, which discovered the bug, has confirmed that it does not affect older system versions such as iOS 14.


Earlier:

A bug has been detected in Safari 15 that could leak some activity in the browser, as well as make certain personal information linked to your Google account visible to others, something that Fingerprint JS has noticed. Among other things, visited websites can become visible to unauthorized persons.

The problem lies in how Safari for Mac and iOS implements Indexed DB, an API that saves data in the browser.

Apple should have been aware of the problem as early as the end of November, but has not yet done anything about it. This is despite the fact that it constitutes a potentially serious lack of integrity.

The leak

When you go to a website that uses a local database in a new tab, a new empty database with the same name is created in all other tabs and windows (except private ones).

Most sites that use these databases give the database a name that makes it clear which site it is. The result is that all other open sites can theoretically see which site you have just opened. When you close the tab, these databases are deleted, but then it is already too late.

Worst with Google

Unfortunately, it does not end there. Some websites also use unique names that can be linked to a specific user. Google is the biggest and worst example here. Google uses an internal user ID as the database name, which means that a page that has been programmed to exploit the Safari bug finds out the internal ID code of your Google account.

As if that wasn’t enough, a database is also created for each Google Account you’re signed in to. If you are logged in to, for example, a private and a job account, the spying site finds out about both and can save the connection between them.

Our recommendation

Until Apple fixes the bug, we recommend that you do not log in to Google at all in Safari. The bug is easy to exploit and is guaranteed to be used by unscrupulous developers to create databases of users’ unique Google IDs.

In fact, users who care about privacy can do their best to use only new private windows for each page they visit, or for the time being use an alternative browser that also takes privacy seriously, such as Firefox or Brave.

Here you can read more, and even test a demo that shows how the leak goes (without actually being spied on).