Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
56,583
19,330


A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS.

safari-icon-blue-banner.jpeg

In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often unique and specific to each website. The correct and normal behavior should be that websites can only access their own IndexedDB databases.

In some cases, websites use unique user-specific identifiers in IndexedDB database names. For example, YouTube creates databases that include a user's authenticated Google User ID in the name, and this identifier can be used with Google APIs to fetch personal information about the user, such as a profile picture, according to FingerprintJS. This personal information could help a malicious actor to determine a user's identity.

The bug affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers to use WebKit on the iPhone and iPad. FingerprintJS has a live demo of the bug that indicates older browsers like Safari 14 for Mac are unaffected.


FingerprintJS noted that no user action is required for a website to access IndexedDB database names generated by other websites.

"A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time," the blog post said. "Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site."

Private browsing mode does not protect against the bug in affected Safari versions.

Users will need to wait for Apple to address the bug with software updates — we've reached out to Apple to see if a fix is planned. In the meantime, Safari 15 users could temporary switch to a different browser on the Mac, but this is not possible on the iPhone or iPad since all browsers are affected by the WebKit bug on those devices.

The bug was reported to the WebKit Bug Tracker on November 28. More details can be found in FingerprintJS's blog post, reported earlier by 9to5Mac.

Update: Apple has prepared a fix for the bug, according to a WebKit commit on GitHub, but Apple still needs to release macOS and iOS updates with an updated version of Safari before the fix is available to users. Apple declined to provide a timeframe.

Article Link: Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]
 
Last edited:
  • Wow
Reactions: RandomDSdevel

Shirasaki

macrumors G5
May 16, 2015
12,845
6,814
Oh boy oh boy. So much about privacy huh. Even though this bug just also affects user privacy, by no means Apple would let it float for very long…I hope.

And so much for iOS using singular web rendering engine, even though this bug is not devastating enough to warrant a rethink on Apple side.
 

killawat

macrumors 68000
Sep 11, 2014
1,561
2,466
Any Web Developers can chime in on how prevalent IndexedDB usage is? I thought LocalStorage was all the rage. 1000% not a web developer, obviously.
 

PinkyMacGodess

macrumors G3
Mar 7, 2007
8,733
4,700
Midwest America.
Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.

Back in the NT4 days, it was not at all unlikely that Microsoft would release a patch that would contain flaws that were already patched, so they would have to circle around and patch them again. I guess 'update' was a more elastic concept back then. But they have come a long way since then. They release whole operating systems that fail. Millennium Edition, Vista, Bob, Windows 8, etc...
 

jz0309

Contributor
Sep 25, 2018
5,612
15,792
Temecula, CA
Back in the NT4 days, it was not at all unlikely that Microsoft would release a patch that would contain flaws that were already patched, so they would have to circle around and patch them again. I guess 'update' was a more elastic concept back then. But they have come a long way since then. They release whole operating systems that fail. Millennium Edition, Vista, Bob, Windows 8, etc...
As long as it is humans who code, there will be bugs.
When the machines take over, there will be bugs, because it was humans who created (coded) the machines.
We’re screwed…
/s
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.