Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,195
30,136


The macOS Monterey 12.2 and iOS 15.3 release candidates that came out today appear to address a Safari bug that could cause your recent browsing history and details about your identity to be leaked to malicious entities.

safari-icon-blue-banner.jpeg

As shared last week by browser fingerprinting service FingerprintJS, there is an issue with the WebKit implementation of the IndexedDB JavaScript API. Any website that uses IndexedDB can access the names of IndexedDB databases generated by other websites during the same browsing session.

The bug permits a website to spy on other websites that the user visits while Safari is open, and because some websites use user-specific identifiers in their IndexedDB database names, personal information can be gleaned about the user and their browsing habits.

Browsers that use Apple's WebKit engine are impacted, and that includes Safari 15 for Mac and Safari for iOS 15 and iPadOS 15. Some third-party browsers like Chrome are also affected on iOS and iPadOS 15, but the macOS Monterey 12.2, iOS 15.3, and iPadOS 15.3 updates fix the vulnerability.

FingerprintJS constructed a demo website to let users check to see whether they're impacted, and as 9to5Mac notes, after updating to the new software, the website detects no security holes.

The website is designed to tell users details about their Google accounts. On iOS 15.2.1 and macOS Monterey 12.1, we tested and the demo website was able to detect our Google account. After updating to the macOS Monterey 12.2 RC and the iOS 15.3 RC, the demo website no longer detects any data.

Apple earlier this week prepared a fix for the bug and uploaded it to the WebKit page on GitHub, so we knew that Apple was working to address the vulnerability. With the macOS Monterey 12.2 and iOS 15.3 release candidates now available, we could see these updates be made available to the public as soon as next week.

Article Link: macOS Monterey 12.2 and iOS 15.3 Release Candidates Fix Safari Bug That Leaks Browsing Activity
 
Last edited:
  • Like
Reactions: RandomDSdevel

LoveTo

macrumors regular
Oct 3, 2021
115
878
If I understand it correctly, won’t we be able to avoid the issue by opening only one tab at a time in private browsing mode, and close it? That is of course until the fix is installed.
 
  • Like
Reactions: u+ive and _Spinn_

nt5672

macrumors 68040
Jun 30, 2007
3,236
6,853
Midwest USA
If they did not do a Safari only fix, then they must really be being pressured by the TLA government agencies. Who knows what security holes (ohhh, I mean new features) are in this release.
 

Dave-Z

macrumors 6502a
Jun 26, 2012
861
1,447
As discovered last week by browser fingerprinting service FingerprintJS

It wasn't discovered last week. It was discovered last year, November 2021. It was disclosed to the public last week.

we knew that Apple was working to address the vulnerability in a timely manner

Addressing the issue nearly two months after it having been reported is not timely, especially considering this patch still hasn't reach the public. If the update comes out in one week that will have been two months since Apple first learned about it.
 

IGI2

macrumors 6502a
May 6, 2015
548
511
It wasn't discovered last week. It was discovered last year, November 2021. It was disclosed to the public last week.



Addressing the issue nearly two months after it having been reported is not timely, especially considering this patch still hasn't reach the public. If the update comes out in one week that will have been two months since Apple first learned about it.
But to be fair, Google Project Zero (and others) has a disclosure policy of 90 days.

We know that this is a privacy breach, but still, modern OSs are fairly complex. Getting to know about it, analysis, fixing it, incorporating in all variants, QA testing, and distributing it to all end users across the globe in one time, whether it's iPhone 6s or iPhone 13 Pro Max is still within reasonable "timely" manner.

We know that they had some public pressure; that's why it's even shorter if we count days since it landed in the news.
 

Macintosh TV

Suspended
Nov 3, 2021
294
732
Mozilla has security issues that are more than 2 years old and filed in their system. Chrome has outstanding security issues older than this. Folks need to settle down. This stuff happens. It gets fixed. If you're unhappy with the speed at which a browser or OS patches issues, then it may be time to look elsewhere.
 

coolfactor

macrumors 604
Jul 29, 2002
6,943
9,470
Vancouver, BC
Reporting on this is still not clear. The headline suggests that this issue _only_ affects Safari, but then the article says this bug is in WebKit.

... there is an issue with the WebKit implementation of the IndexedDB JavaScript API

Other browsers use the WebKit rendering engine, so would they not be affected, as well?

So maybe this was a bug in Safari's implementation of WebKit, and the Safari team, not the WebKit team, needed to fix it?
 

jdclifford

macrumors 6502a
Jul 26, 2011
913
1,265
Fix works on both my 14" MacBook Pro M1 Pro and my M1 iMac running Mac OS Monterey Version 12.2 (21D48).

No fix yet for Safari Version 15.2 (16612.3.6.1.8, 16612) on MacOS Big Sur Version 11.6.2 (20G314) on my 2015 12" MacBook. Ran the test website and it showed leak of 3 database names. Firefox has no leaks.

What's taking Apple so long to push out a fix for all versions of Safari?

To busy designing/tweaking emojis?
 
Last edited:

glockenSquish

macrumors member
Apr 10, 2008
51
55
Does anyone know if this bug affects older versions of Safari? I’m still running Mojave for compatibility reasons (audio plugins), and am running whatever the last safari is on that OS.
 

Baritone_Guy

macrumors regular
Feb 12, 2021
113
261
Reporting on this is still not clear. The headline suggests that this issue _only_ affects Safari, but then the article says this bug is in WebKit.



Other browsers use the WebKit rendering engine, so would they not be affected, as well?

So maybe this was a bug in Safari's implementation of WebKit, and the Safari team, not the WebKit team, needed to fix it?
It was in WebKit. All other iOS browsers are impacted. I use Edge and confirmed the impact for myself.

What really bugs me is that Apple has to issue a whole iOS update to fix a browser. They really need to fix that. Android did it a long time ago.
 

allan.nyholm

macrumors 68020
Nov 22, 2007
2,272
2,494
Aalborg, Denmark
I was going to write up a comment about an amazing discovery in the Safari Technology Preview where this is fixed too.

Good thing I never got my bragging shoes on.
 

jz0309

Contributor
Sep 25, 2018
9,936
25,898
SoCal
Safari has had vulnerabilities since it was invented. Stuff gets fixed but new problems are found. Don’t pretend that this is the end of it. As sure as the sun sets, there’s still problems with it that haven’t been revealed.
Bottom line: Stay on guard.
that's pretty much true for any browser and OSs, and apps, so for any software, not just Safari ... might have to do with humans being the coders ...
 

Realityck

macrumors G3
Nov 9, 2015
9,807
14,553
Silicon Valley, CA
Fix works on both my 14" MacBook Pro M1 Pro and my M1 iMac running Mac OS Monterey Version 12.2 (21D48).

No fix yet for Safari Version 15.2 (16612.3.6.1.8, 16612) on MacOS Big Sur Version 11.6.2 (20G314) on my 2015 12" MacBook. Ran the test website and it showed leak of 3 database names. Firefox has no leaks.

What's taking Apple so long to push out a fix for all versions of Safari?

To busy designing/tweaking emojis?
Apple has pushed out testing updates for Catalina/Big Sur also. They are 15.3 variety so likely when this all goes public, you'll see those also.
 

jclo

Managing Editor
Staff member
Dec 7, 2012
1,968
4,296
It wasn't discovered last week. It was discovered last year, November 2021. It was disclosed to the public last week.



Addressing the issue nearly two months after it having been reported is not timely, especially considering this patch still hasn't reach the public. If the update comes out in one week that will have been two months since Apple first learned about it.

I've updated the wording.
 
  • Like
Reactions: skardvin
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.