If you’re viewing this on Safari, close the browser and shift to *gasp* Google Chrome even, because this is about to make you seriously paranoid about your privacy. As reported by FingerprintJS, the recently-discovered Safari 15 bug detailed in this blog can leak your recent browsing history and even reveal your identity.
Now, what’s this pesky little bug about?
Anyone who’s been on the internet for a while would agree that your browsing history is something sacred. It’s private information that should only be accessible to you and, well, your ISP, the sites you visit, the people they sell data to…
Okay, it’s only somewhat private, but the point stands that it’s sensitive information you don’t necessarily want in malicious hands.
I hate to be the bearer of bad news, but a recently revealed Safari vulnerability threatens just that privacy. This bug in Safari 15’s implementation of IndexedDB API on macOS and all browsers in iOS and iPadOS 15 causes the creation of duplicate databases on websites sharing the same session.
In simple words? If you’re on Safari right now, every website you have open that uses IndexedDB can potentially see which other websites are open in different tabs or windows. What’s worse is if you’re logged into any Google services, which you probably are, this bug can also leak your Google ID and profile picture. Plural, if you’re logged into multiple Google accounts.
Are you serious? What’s Apple doing?
Yup, you can check out this vulnerability in action on this live demo website. As for what Apple’s doing, well, FingerprintJS says they reported this bug on 28 November – but as you can see, it remains uresolved. However, now that it’s in public knowledge, Apple has confirmed they’ve got engineers on the case and marked FingerprintJS’s report as resolved.
But don’t breathe a sigh of relief just yet because, until you get an update with a security patch, that’s just random words on a screen. You’re still vulnerable nonetheless!
So… there’s nothing we can do?
Thankfully, if you’re on macOS, the easier option is simply changing your web browser to escape this bug in Safari 15. Unfortunately, iOS and iPadOS users have no recourse, for now, as it affects all browsers. The most we can do is wait until Apple releases updates patching this flaw.
Now, if you’ll excuse me, I’m going to go log out of Google and close those 500 tabs on my iPhone so nobody can spy on what I’ve been looking at. Damn Apple and this stupid Safari 15 bug to hell, I saved those important tabs for a rainy day!