A recent FingerprintJS report revealed a malicious security vulnerability in the Safari browser across all Apple platforms that allows anyone to extract browsing history and even Google IDs. In response to these findings, Apple acknowledged the problem existed and is currently working on a fix.
It is expected that Apple will release a security update for all devices in the near future. Apple engineers are reportedly working on fixing a Safari core that leaks user data through the help of Webkit.
To note this Webkit is a key component that helps build browsers such as Safari, Chrome, Firefox, Edge and others. Since Webkit is open source, bug related updates will be published on GitHub.
More specifically, the security vulnerability in Safari stems from problems with Apple's implementation of IndexedDB, an application programming interface (API) that stores data in the browser.
IndexedDB usually follows the same-origin policy, where a website can only access databases created by the same domain name. For example, if you open an email in one tab and open a malicious site in another, the same-origin policy will prevent the malicious site from accessing your email.
FingerprintJS found that the implementation of the IndexedDB API in Safari 15 violated the same-origin policy. When a website interacts with a database in Safari, FingerprintJS says a new empty database with the same name will be created in frames, tabs, and other windows in the same browser session.
This means that other websites can see the name of another database created on a different site, which may contain specific data regarding the identity of the user.
FingerprintJS as an example, sites that use Google accounts such as YouTube, Google Calendar, and Google Keep all create databases with unique Google User IDs. This Google User ID allows Google to access publicly available information, such as profile photos, which due to this bug in Safari could be exposed to other websites.
FingerprintJS also creates a proof-of-concept demo that users can try on Safari 15 or later on Mac, iPhone, and iPad. This demo uses the IndexedDB loophole in the browser to identify the opened website and shows how a website could exploit this bug to retrieve a user's Google User ID information.
Currently, the demo only detects 30 popular sites affected, including Instagram, Netflix, Twitter, and Xbox. It is likely that more websites will be affected, especially those using the IndexedDB API.
There's currently nothing Safari users can do as this bug was detected in Safari for iPhone, iPad, and Mac. This loophole also affects Private Browsing mode in Safari.
So until Apple gets rid of the bug, it's a good idea to either use a different browser or disable JavaScript for untrusted websites.
Apple has so far not provided details about when it will release a fix update. But as quoted from Safari MacRumors, the release will soon be publicly available along with changes to Safari and the new WebKit engine.
