Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

[Isamilis]

Quick fix, Apple should allow downgrade to iOS 14 temporarily.

 

[chucker23n1]

Swell. add that to the huge bug list in Monterey.

I don't get the impression that Monterey has a "huge bug list". Catalina seemed to be a low point in quality, perhaps because they changed a lot of internals.

It's a bug, and 50 days and counting is a bit slow for Apple to react, but still well below Google's 90-day responsible disclosure deadline. They shouldn't have disclosed it yet.

 

[Kuckuckstein]

So why are you here then? Shouldn’t you be on a Microsoft tech blog?

It does not hurt to look into what others do and to learn from it for your own platform / favourite gadgets. Both if they do better or worse.

With regards to software feature releases, it is good that Apple introduces things once or twice per year, because the constant changes that other companies do to their UI/UX can be frustrating. I know that Apple can also miss the mark entirely - so let's not get into the tab-design discussion or the Podcast App.

But, if you have bugs you need to be faster. Every programmer can overlook something. And in the same way that you can be clever to solve a problem, somebody can be equally clever and open a new door. That is the nature of things. But here Apple's slowness of upgrades is bad and Microsoft is usually much more reactive.

And although people like to bash Microsoft, but the company has actually some good sides as well. As a developer I really appreciate their structured approach to language design and most of the JavaScript community will agree that they have made two important and valued contributions: TypeScript and Visual Studio Code (though I feel that the latter one gets overly complicated ... as is the nature with many successful products and platforms).

 

[Marie.D]

Safari shouldn’t be on a yearly release schedule. As much as it is my favorite browser and I use it daily for a decade, this old yearly release approach from Apple is clearly hurting them in the long run. While they push some critical bugfixes fast, others like rendering issue or format support takes until the next big release to come out. In this world where the web is evolving so fast, and so are its threats, it’s just unnaceptable to see a modern browser lag behind so badly.

The same argument should be made to separate security fixes from iOS regular releases. Pegasus should have been able to be patched earlier, and no doubt bundling it with a dot release took unnecessary time.

Also, pay your bounties Apple and stop ignoring threats when people disclose them to you! You’re a 3 trillion dollar company, start acting like it.

 

[I7guy]

“Always update to the latest version to make sure your devices are as secure as possible” they say... while I sit here with iOS 12 and High Sierra, not being affected by this bug. ??‍♂️

But other bugs that are much worse.

 

[jsamuelson]

I don't get the impression that Monterey has a "huge bug list". Catalina seemed to be a low point in quality, perhaps because they changed a lot of internals.

It's a bug, and 50 days and counting is a bit slow for Apple to react, but still well below Google's 90-day responsible disclosure deadline. They shouldn't have disclosed it yet.

I've been using the public beta of Monterey on my M1 Air since it launched, and I have not had any issues...I use it daily for work, leisure and study. The one thing that worried me was the SSD cycle issue right at the start but that seems to have been resolved.

 

[mabhatter]

Yet eyes in the sky will track you even harder, of course without any permission from you.

The mountains are closer to the spy satellites... there's less clouds to see you thru.

 

[Heat_Fan89]

This is just another reason why I disable Javascript unless I need to turn it on.

 

[JosephAW]

I feel like I should just burn all my gadgets and go live in the mountains. ?

They can still track your heat signature via satellite unless you cover your entire body with cold mud like Arnold (Dutch) did to hide from Predator.

 

[chrfr]

Are we sure this bug was not patched in the recent iOS/iPadOS 15.2.1 update?

It is not patched in 15.2.1.

 

[imnotarobot]

I tried it in Safari Technology Preview and it still happens there. WTF is wrong with Apple, do they not care about privacy or security, this should have been fixed over the weekend already. It's not like they have any shortage of engineers or money. At least provide a setting to turn off the db or clear them. They should stop bloviating about user privacy if they can't manage to do proper security audits of WebKit.

 

[mjtomlin71]

 

[GalileoSeven]

Firefox (w/uBlock Origin + Ghostery) is a good remedy for this.

 

[nt5672]

When Apple could not get users to accept CSAM photo browsing, I guessing that the NSA, FBI and DOJ thought this would be better for citizen compliance. You will be assimilated.

 

[fotomatt]

I feel like I should just burn all my gadgets and go live in the mountains. ?

I live in the mountains. Everyone in Denver did that in 2020 and now no one can afford to live in the mountains...without their gadgets to work remote.

 

[nt5672]

Unbelievable the lack of passion & vision behind Safari, the team behind it puts out this unacceptable half baked garbage really, it's truly appalling & disgraceful the lack of leadership, QA and how much the browser has retrogressed, beyond IE levels. So much for Apple's silicon and all the "privacy" smoke but it gets outperformed by almost any mainstream browser in Apple's own OS while also offering less granular privacy tools.

Unreal.

Man, I wish I could disagree with this. So Apple's "we are the most secure" marketing is just marketing. Yep, should have known that.

 

[blizzerand]

“We’re waiting on the Webkit open source team to fix this.”

For those that don’t know, Webkit is an open source project hosted by Apple. There are many contributors to the project that do not work for Apple. Maybe this isn’t a bug that can just be patched and goes a bit deeper, which would take longer to fix (and the reason why it was not easily discovered).

Apple is the major contributor of Webkit. The third party commits are relatively insignificant compared to the commits of Apple employees. Just because Apple has open sourced this technology doesn't take anything away from their responsibility in fixing this.

 

[blizzerand]

For every security story, you have to look at “How would this be effective”. For example, there’s currently a critical security flaw in macOS in that if someone has physical access to your computer AND knows your password, they can use the keyboard to type in your password and gain access to your account. If your account is an admin, then they have access to all accounts on your computer! A very serious flaw, to be sure, but I doubt Apple does anything about it.

Here, it mentions something that most users are already aware of and deal with fairly quickly… “a tab or window that runs in the background”. Now, assuming a malicious actor hasn’t already hacked into an ad network, we’re talking about a popup window which most of us see, are annoyed by and close immediately. A closed window can’t continually query anything, and CERTAINLY not in real time.

Additionally, well behaved websites CAN open any website in an iFrame, but would MacRumors do that? Would Apple.com do that? No. There are sites out there that would, but, again, this is a situation where you actively have to put yourself into. If a malicious actor sends you a link via email, and you click on the link, sure, they’d be able to track for as long as you don’t close the browser. BUT, if a malicious actor thinks they can get you to click the link, the payload is going to be FAR more effective than an exploit that “kinda” just tracks you but only if you leave your browser windows open and/or NEVER EVER close popup windows.

This isn't limited to iframes, but any tabs that you open during the browsing session. So, any website could be a bad actor and doesn't necessarily have to be an ad network. They could link your Google profile (if logged in) with the tabs that you have open.

 

[nt5672]

If this was a genuinely serious problem, Apple would have fixed it already. I'm staying calm and carrying on as normal.

Staying calm means Apple will never fix it. Remember they are nothing but a marketing company these days and one penny spent that is not needed (using image as the base requirement) is anti-Cook philosophy.

 

[chucker23n1]

Staying calm means Apple will never fix it.

They will. This story has no bearing on that.

 

[nt5672]

Apple has a commitment to user privacy but unfortunately doesn't have the engineering competence to consistently back that commitment up.

In my experience, it is not "engineering competence" but rather management direction. There are no or not enough engineers assigned to do WebKit security code and testing. Why? Because it adds nothing to the Keynote each year, unless there is a big media hoopla.

Anyway, security is so 90s. Apple's national security letters have to be implemented somehow.

 

[Unregistered 4U]

You mean they can... log in? That seems normal to me.

Yes, and perfectly normal to anyone BUT a security researcher that hasn’t seen their twitter account retweeted in a few months. They always put all the SCARY stuff right up front and then it’s like pulling teeth to get to “But how’s this an exploit, buddy?” Because they know this isn’t a serious exploit. My guess is that this does do what they say it does, but there are SO many other more effective ways of doing that thing, there’s no malicious actor that would use this vector which can be defeated just by a user closing a window/tab.

 

[Unregistered 4U]

This is just another reason why I disable Javascript unless I need to turn it on.

I wish that, just like I can enable Reader View automatically on a per site basis, I could also disable Javascript on a per site basis.

 

[I7guy]

The irony is that the people who updated because Apple told them they would be safe, ended up less safe and the people who didn't, ended up being more safe.

Where did Apple tell people it “was safe”? Do you have a citation?

 

[Unregistered 4U]

Apple is the major contributor of Webkit. The third party commits are relatively insignificant compared to the commits of Apple employees. Just because Apple has open sourced this technology doesn't take anything away from their responsibility in fixing this.

Still doesn’t change the fact that it’s open source, though. And, that this will be fixed as soon as the WebKit open source community deems it necessary to be fixed.