Safari 15 Security Flaw Discovered That Can Leak Your Browsing Activity, Personal Identity 4g4a6n

Safari 15 is found to have a vulnerability that is leaking your browsing activity and even allowing bad actors to know your identity. The issue has emerged due to a bug introduced in the implementation of IndexedDB, which works as an application programming interface (API) to store structured data. s on the latest version of macOS as well as iOS and iPadOS are affected by the vulnerability. Although macOS s can overcome the impact by switching to a third-party browser, s with the iPhone or iPad have no such remedy at this moment.

As initially reported by 9to5Mac, browser fingerprint and fraud detection firm FingerprintJS has discovered the IndexedBD vulnerability impacting Safari 15. The API follows the same-origin policy that is meant to restrict documents and scripts loaded from one origin to be interacted with resources from other origins. This helps a Web browser secure your session in one tab from the website you have accessed on the other tab.

However, the researchers at FingerprintJS have found that Apple's implementation of Google .

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” the researchers said while explaining the vulnerability.

The flaw allows hackers to learn what websites you are visiting in different tabs or windows. It also exposes your Google ID to websites other than those where you have logged in with your Google . The Google ID allows websites to access your personal identifiers including your profile picture. Eventually, hackers could look at those identifiers by exploiting the Safari vulnerability.

FingerprintJS claims that the number of websites that can interact and gain access to s' browsing activity and personal identifiers can be significant. To demonstrate the flaw, a proof-of-concept has also been made public by the researchers.

You can use the demo on your iPad that has Safari 15 to look at the vulnerability. It currently detects popular sites including Alibaba, Instagram, Twitter, and Xbox to suggest how the database from one site can be leaked to others. However, the issue is not limited to these and may impact s visiting other sites as well.

s switching to the private mode in Safari 15 can reduce the extent of information available via the leak as private browsing sessions on the browser are restricted to a single tab. You will, though, end up leaking your data if you visit multiple websites one after another within the same tab.

Mac s can, nevertheless, switch to a third-party browser, such as Mozilla Firefox, to resolve the security loophole.

However, on Apple does not allow iOS Web browsers to use a third-party browser engine on iPhone and iPad.

s can limit data leak by disabling JavaScript on their browser for the time being. But that will affect their experience as most sites nowadays use JavaScript to provide modern browsing.

FingerprintJS reported the issue to the WebKit Bug Tracker on November 28. The flaw still exists, though.

Gadgets 360 has reached out to Apple for a comment on the vulnerability and whether it is working on a fix. This article will be updated when the company responds.

Vulnerabilities impacting Safari is not something new. Last year, Apple had to WebKit security issues that existed in the previous versions and could allow attackers to maliciously gain data access.

---