Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

[Unregistered 4U]

This isn't limited to iframes, but any tabs that you open during the browsing session. So, any website could be a bad actor and doesn't necessarily have to be an ad network. They could link your Google profile (if logged in) with the tabs that you have open.

If you open a malicous tab, yes. MacRumors or any other reputable site? No. They all have far more effective tools for tracking than this. And, if you’re opening malicious tabs, you likely don’t have to worry about this either as they ALSO have more effective ways of obtaining benefit from your traversal to their malicious site.

What they’re saying is possible, like how walking from Los Angeles to Las Vegas is. Sure, it’s possible, but no one would do it unless they really wanted to do that thing it the absolute worst possible way.

 

[ovenbakedlies]

As far as i understand, this also affects iPads and iPadOS ?
Apple push the iPad pro as a replacement for my desktop computer. And yet the only browser engine it can run is one with a serious privacy vulnerability that goes unpatched for two months, with no workarounds, alternatives or even acknowledgment.
Way to go, Apple.

 

[0924487]

I feel like I should just burn all my gadgets and go live in the mountains. 😭

All you have to do is to unplug from the internet.

 

[VulchR]

OK - I just have to say this. I wish Apple had put the engineering effort they wasted on their CSAM spy software into fixing security-related bugs like this. And I would just like to remind some of you that you argued that because Apple's is so big and successful that the CSAM system must be private and secure. Well, evidently Apple can stub their toes with the best of them.

 

[Aoligei]

There’s also a lot of Chevy’s on the road. Doesn’t make them great vehicles.

There’s lots of iPhone out there. Doesn’t make them great phones.

 

[I7guy]

OK - I just have to say this. I wish Apple had put the engineering effort they wasted on their CSAM spy software into fixing security-related bugs like this. And I would just like to remind some of you that you argued that because Apple's is so big and successful that the CSAM system must be private and secure. Well, evidently Apple can stub their toes with the best of them.

Are you saying Apple should have 100% bug free software? Do you know the reason this bug isn’t fixed or assume it just should have been fixed? And just assume that CSAM code is buggy because bugs exist in iOS?

 

[I7guy]

There’s lots of iPhone out there. Doesn’t make them great phones.

Maybe not for Chevys(except vettes) and Macdonalds burgers, but iPhones are great phones.

 

[mjtomlin71]

 

[chrfr]

It looks like Apple engineers have come up with a WebKit fix, based on this tweet:

https://twitter.com/x/status/1483085011532267520

Now we just have to wait until it rolls out into a release of iOS/iPadOS and Mac Safari.

 

[GtrDude]

I've been using Brave browser for a year.
Very good browser, your privacy is a major consideration in how it's coded.
It's not just something they say.

 

[jdb8167]

It looks like Apple engineers have come up with a WebKit fix, based on this tweet:

https://twitter.com/x/status/1483085011532267520

Now we just have to wait until it rolls out into a release of iOS/iPadOS and Mac Safari.

Until the fix is released the only workaround that I’ve found is to delete Safari website data or use private browsing for everything and always use a new tab when opening a URL. I haven’t tested on macOS yet but at least on iPadOS using normal browsing sessions is a problem because you have force quit Safari to actually end a browsing session.

 

[halifaxcrosby]

FB is smiling

 

[jdb8167]

Even closing the tab removes the problem in this case.

Not on iPadOS using non-private sessions. You have to force quit Safari to actually end a browser session though I’m sure over time and depending on your memory use, the session will end eventually. With private browsing it does remove the problem if you close the tab.

 

[PinkyMacGodess]

So this is nice. Good thing I don't use Safari on the mac. Oops for Apple. After reading more on this, I can see how they missed it, but still...

 

[PinkyMacGodess]

Does this affect ios14? If it isn’t, then ios14 is safer?

The bug affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15.

Seems like you should be safe. At least from this issue.

 

[Unregistered 4U]

Not on iPadOS using non-private sessions. You have to force quit Safari to actually end a browser session though I’m sure over time and depending on your memory use, the session will end eventually. With private browsing it does remove the problem if you close the tab.

If this is powered by javascript, if you close the tab that the javascript is running in, the javascript continues to execute?

 

[PinkyMacGodess]

FB is smiling

Why?

 

[jdb8167]

If this is powered by javascript, if you close the tab that the javascript is running in, the javascript continues to execute?

The demo page shows that it continues to see the databases after the tabs are closed. It’s pretty easy to use the demo to test.

https://safari-15-indexeddb-bug-demo.netlify.app/

 

[Stunning_Sense4712]

Wouldn't disabling JavaScript mitigate this?

Along with breaking a lot of websites that will not work correctly without javascript enabled.

 

[Stunning_Sense4712]

It looks like Apple engineers have come up with a WebKit fix, based on this tweet:

https://twitter.com/x/status/1483085011532267520

Now we just have to wait until it rolls out into a release of iOS/iPadOS and Mac Safari.

How nice of Apple to mark the issue as resolved when no updates have been pushed out by Apple that corrects the issue.

 

[jdb8167]

How nice of Apple to mark the issue as resolved when no updates have been pushed out by Apple that corrects the issue.

That’s the internal tracking site for the open source WebKit project. It isn’t meant to be used by end-users to report on releases.

 

[Shirasaki]

I tried it in Safari Technology Preview and it still happens there. WTF is wrong with Apple, do they not care about privacy or security, this should have been fixed over the weekend already. It's not like they have any shortage of engineers or money. At least provide a setting to turn off the db or clear them. They should stop bloviating about user privacy if they can't manage to do proper security audits of WebKit.

Apple cares about money, and only money. I assume you know this. Everything else is just empty words carrying no value.

 

[Blue Nova]

I feel like I should just burn all my gadgets and go live in the mountains. ?

I heard Mountains will be the next macOS.
JK.

 

[xterratop]

Strange. Why does Macrumors only allow members to comment on certain articles? Is it because they don't want us to post our personal views? I thought this is America?

 

[star-affinity]

Safari just sucks and always has sucked. Why do Mac users continue to use it?

Because during the many years I used it it worked well overall? That said; I'm mainly using Firefox now since a few years back.