Apple Prepares Fix for Safari Bug Allowing Websites to Decipher Your Recent Browsing Activity

[MacRumors]

Over the weekend, we reported on a bug in WebKit's implementation of a JavaScript API called IndexedDB that can reveal your recent browsing history and even your identity, according to browser fingerprinting service FingerprintJS.

Apple has since prepared a fix for the bug, according to a WebKit commit on GitHub, but the fix will not be available to users until Apple releases macOS Monterey, iOS 15, and iPadOS 15 updates with an updated version of Safari. Apple declined to comment when asked to provide a timeframe for a fix being released to the public.

The bug allows any website that uses IndexedDB for client-side data storage to access the names of IndexedDB databases generated by other websites during a user's browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often specific to each website, and sometimes the database names contain user-specific identifiers that could reveal a user's identity.

FingerprintJS has a live demo of the bug, which affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for macOS and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome and Edge on iOS 15 and iPadOS 15, as Apple requires all iPhone and iPad browsers to use WebKit.

The bug does not affect Safari 14 for macOS or any browser on iOS 14 and iPadOS 14, according to FingerprintJS, which has a blog post with more details.

Article Link: Apple Prepares Fix for Safari Bug Allowing Websites to Decipher Your Recent Browsing Activity

 

[KaliYoni]

The bug does not affect Safari 14 for macOS or any browser on iOS 14 and iPadOS 14

Yet again, upgrading right when a new macOS or iOS is released causes major problems for users! If I could get Tim Cook to do one thing, it would be to stop the forced annual releases of OS's. It's not like Apple would take a sales revenue hit from stretching out releases to 18 or 24 months...

 

[joshwenke]

Another reason why WebKit lock-in on iOS is NOT a good idea...

 

[I7guy]

Another reason why WebKit lock-in on iOS is NOT a good idea...

The other side of this is, a potential wild west of vulnerabilities, with each browser having a unique set of security patches to fix. At least with one webkit, it all gets fixed at once. But I believe Apple is addressing this with alacrity.

 

[winxmac]

The bug does not affect Safari 14 for macOS or any browser on iOS 14 and iPadOS 14, according to FingerprintJS, which has a blog post with more details.

I guess that's one good reason for staying with iOS 14.x instead of upgrading to the latest version which is what Apple wants its users to do...

 

[TheYayAreaLiving 🎗️]

Wish granted! Sounds like a fix is coming very soon. Woo hoo. @_Spinn_ 👏🙏

Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

Yikes. I hope Apple fixes this quickly.

forums.macrumors.com

 

[sw1tcher]

What do you mean Apple is preparing for a fix?

Apple just issued a fix for macOS and users can get it right here

 

[diamondsw]

Wow, if you look at the commit, the actual code change is 3 additional lines of code - and dozens in new tests, documentation, etc.

 

[diamondsw]

What do you mean Apple is preparing for a fix?

Apple just issued a fix for macOS and users can get it right here

Unless I missed a major tech acquisition today, that's not Apple issuing it. Yes, I'm being humorless about this because it's a poor attempt at a "joke".

 

[ouimetnick]

but the fix will not be available to users until Apple releases macOS Monterey, iOS 15, and iPadOS 15 updates with an updated version of Safari.

Why can't we have Safari separated from the OS? I didn't have to update macOS for iTunes updates. Never had to update iOS for updates to Pages, Numbers, Keynote, etc.

They do update Safari separate from macOS on older versions of macOS.. Why can't the same be done with the latest/current release of macOS (and iOS/iPadOS)?

 

[TheYayAreaLiving 🎗️]

What do you mean Apple is preparing for a fix?

Apple just issued a fix for macOS and users can get it right here

I’m a big fan of Mozilla, Firefox browser. Been using it for years. Possibly a decade. It's too bad I'm addicted to Safari. But Firefox is my 2nd go-to.

Good suggestion though. 👌☝️

 

[diamondsw]

Yet again, upgrading right when a new macOS or iOS is released causes major problems for users! If I could get Tim Cook to do one thing, it would be to stop the forced annual releases of OS's. It's not like Apple would take a sales revenue hit from stretching out releases to 18 or 24 months...

While I agree that a longer upgrade cycle on the OS would allow for more polish, I doubt a lot of bugs (especially like this one) would be discovered even with more time. Until the upgrade is released not enough people run the betas to find a lot of these issues (although to be VERY fair, there are plenty of bugs that ARE well-known and ship anyway - and those might be fixed).

 

[romaguyntx]

would private relay offer any protection or is it also subject to this bug?

 

[diamondsw]

Why can't we have Safari separated from the OS? I didn't have to update macOS for iTunes updates. Never had to update iOS for updates to Pages, Numbers, Keynote, etc.

They do update Safari separate from macOS on older versions of macOS.. Why can't the same be done with the latest/current release of macOS (and iOS/iPadOS)?

Because Safari is the new IE. I only somewhat kid... Remember when we all blasted Microsoft for this exact behavior in Win98?

 

[diamondsw]

would private relay offer any protection or is it also subject to this bug?

Nope, afraid not - this is related to how Safari manages its own data and what it sends back to websites. Only fix is another browser until Safari is updated.

 

[romaguyntx]

Nope, afraid not - this is related to how Safari manages its own data and what it sends back to websites. Only fix is another browser until Safari is updated.

Wow! Thanks for this info!

 

[McScooby]

Yet again, upgrading right when a new macOS or iOS is released causes major problems for users! If I could get Tim Cook to do one thing, it would be to stop the forced annual releases of OS's. It's not like Apple would take a sales revenue hit from stretching out releases to 18 or 24 months...

Whatever date is put on a release, there is always issues. Can't say I was a fan of the longer releases as it just delayed features being added, although I suspect the current schedule has more to do with iOS rather than MacOS.
Unless you're buying new kit or want to keep up with iOS, no-one is forcing you to upgrade every 12 months.

 

[duanepatrick]

Why does no one talk about Brave? It's also a good browser tho aside from Firefox/Safari.

 

[Shirasaki]

Why does no one talk about Brave? It's also a good browser tho aside from Firefox/Safari.

Isn’t brave Chrome based?

 

[Shirasaki]

Yet again, upgrading right when a new macOS or iOS is released causes major problems for users! If I could get Tim Cook to do one thing, it would be to stop the forced annual releases of OS's. It's not like Apple would take a sales revenue hit from stretching out releases to 18 or 24 months...

But, but, but, YouTubers would run out of topics to talk to, to generate clicks, views and revenue ohhhhhh the world is shattering because Apple doesn’t release software on a daily basis and nothing interesting to talk about nooooooo…….

You get the idea.

 

[ian87w]

Why does no one talk about Brave? It's also a good browser tho aside from Firefox/Safari.

Because in this iOS situation, it doesn't matter which browser you use. ALL browsers on iOS must use Safari/webkit engine, and thus are affected by this bug,

 

[ian87w]

Time for Apple to start compartmentalizing iOS. Aren't anyone at Apple see how wrong it is to wait for an iOS update just to patch Safari/webkit? Apple, go work it out like Android, where the browser and system webview can be updated independently of the OS itself.

 

[Shirasaki]

Time for Apple to start compartmentalizing iOS. Aren't anyone at Apple see how wrong it is to wait for an iOS update just to patch Safari/webkit? Apple, go work it out like Android, where the browser and system webview can be updated independently of the OS itself.

I suspect they believe releasing separate browser update cost them more because of how they wrote safari in the first place, just like IE back in Windows 98.

 

[_Spinn_]

Wish granted! Sounds like a fix is coming very soon. Woo hoo. @_Spinn_ 👏🙏

Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

Yikes. I hope Apple fixes this quickly.

forums.macrumors.com

Hooray! I'm glad Apple is moving fast on this bug 😊

 

[Westside guy]

What do you mean Apple is preparing for a fix?

Apple just issued a fix for macOS and users can get it right here

Now where'd I see that joke before...? ?