Apple’s Safari 15 browser has a serious vulnerability that could allow any website to track your Internet activity and reveal your identity on macOS, according to a new report. In iOS and iPadOS 15, the flaw appears to be affecting all browsers, as the WebKit engine is affected and is used by browsers built for these systems.
Researchers at FingerprintJS, a browser fraud and fingerprint detection service, revealed that Apple’s implementation of IndexedDB has caused this software bug. An IndexedDB is a browser application programming interface (API) designed to contain significant amounts of data. It is supported by all major browsers including Chrome and is used very frequently.
However, Apple’s implementation of IndexedDB allows an attacker to gain access to a user’s browsing activity or the identity attached to their Google account. According to the researchers, the display of private mode in the Safari 15 browser is also suspected to be affected by the vulnerability. The vulnerability allows others to know which websites you are visiting in different tabs or windows.
In addition, it also exposes a user’s Google User ID to websites other than those where one is logged in with their Google account. This is problematic because the Google User ID is an internal identifier generated by Google. It can be used with Google APIs to obtain public personal information from the account owner, according to the researchers.
FingerprintJS claims that the number of websites that can interact with and gain access to users’ browsing activity and personal data is significant. It has also created a demo page that shows how jailbreak works.
The report says that more than 30 websites interact with indexed databases directly on their home page, without any additional user interaction or authentication required. “We suspect that this number is significantly higher in real-world scenarios, as websites may interact with databases on subpages, after specific user actions, or on authenticated parts of the page,” the FingerprintJS team said.