According to a new report, a software vulnerability in Apple’s Safari 15 browser might allow any website to track users’ internet activities and possibly expose their identities on macOS, iOS, and iPadOS 15. People’s Google User IDs could also be exposed to other websites as a result of the vulnerability. Furthermore, the vulnerability is also believed to affect private mode viewing on the Safari 15 browser.
The fault is caused by an issue with Apple’s implementation of IndexedDB, an application programming interface (API) that keeps data on people’s browsers, according to FingerprintJS, a browser fingerprinting and fraud detection service. According to the report, more than 30 websites directly interact with indexed databases on their homepage, with no additional user involvement or authentication required.
“IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. It’s supported in all major browsers and is very commonly used. We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page,” said the FingerprintJS team in a statement.
Unfortunately, the vulnerability discovered by FingerprintJS allows IndexedDB to violate the same-origin policy, exposing data it has acquired to domains from which it did not collect it. Some websites, such as those in the Google network, include unique user-specific identifiers in the data sent to IndexedDB. This means that if users are connected to their Google account, the data obtained can be used to precisely identify their browsing history as well as account details. It can also find out whether they are logged into more than one account.
The vulnerability was reported by FingerprintJS at the end of November, but it’s yet to be resolved. While only Safari has been affected on Mac, Apple’s requirement that both iOS and iPad web browsers use WebKit means the IndexedDB flaw has affected all of these systems’ browsers.