"You Have The Right to Free Speech
Just as long as your not Dumb Enough to actually Try it."
Know your Rights - The Clash
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
"You Have The Right to Free Speech
Just as long as your not Dumb Enough to actually Try it."
Know your Rights - The Clash
If you have any of those pages open, though, you’re still a part of the experiment and of course will see the results as expected. Just as I assume if you open a malicious website (via a popup for example) using this method, as long as that window/tab is open, it has access to and can report your real-time browsing information about at least 30 sites. Which isn’t a significant number, to be fair.
Given that many security researcher’s job is to make exploits sound as scary as possible without being so hyperbolic as to become a laughingstock among other researchers, the fact that the security researcher “suspect this number to be significantly higher in real-world scenarios” without actually checking and providing further info on some of their suspicions about databases on sub pages, those specific user actions or authenticated parts of pages, you can almost guarantee that the exploit provides incomplete information regarding connections to 30 sites. If the number of sites on the web were 40, perhaps, this would be more concerning.
What do you mean by this comment?
Neither Java nor Flash is involved in this and neither are used in modern web browsers.
I like to understand the details of various threats. I'm not particularly concerned about this one now that I know how it works. They track certain sites because I suspect that they reverse engineered the IndexedDB names to match up to the website. Any site that uses the IndexedDB API is able to be tracked by this bug but many (most?) sites don't use this particular API.
Interestingly, your supposition that you only have to close the tab to remove access to the database name is correct on macOS. Now that I'm in front of my Mac, I can see that the ability of the demo to read the DB name is removed once the tab is closed. That is not how it works on iPadOS (and I assume iOS). Closing a tab in iPadOS does not remove access to the indexedDB name unless the tab is a private browsing tab or you force quit Safari. And if you reuse a private tab in iPadOS, the demo is still able to see the database name.
I agree, but as a long time user who also uses many other browsers I'll bite.
Why we use it? Easy, UI used to be "somewhat cleaner / nicer" than the rest, and because it's "native". That's about it sadly.
I just wish they'd take some god damn responsibility once for all and try to actually offer their best efforts, because this junk has been lacking everywhere for over a decade. They should re-write it from scratch, but then you look at examples such as iTunes, they turned a pig into even worst separated apps, so expectations of a better outcome are nil.
For dev context it has always been plain useless. When they started releasing Tech Preview versions, a spark of hope enlightened. Then reality shows us about 140 versions so far, and stable is worse than ever.
At this point is clear they don't even care to serve "basic" users through polished OSs (iMonterrey, iOS15, iPadOS), imagine their native apps or devs trying to debug through their browser. A bizarre joke.
Standing on a public square, people *have* to hear you. (They may not like what you say, but you have the right to say it and alienate everyone, and potentially go to jail (there is *some* speech that will get you investigated/prosecuted/jailed)). Here? You are in their pool. You have the 'privilege' to say whatever you want, and they have the right to limit it, edit it, and also expel you if you abuse that 'privilege' and violate their rules. The people with the most 'rights' here is Macrumors and their moderators and people that give monitoring ability to.
On iOS/ipadOS, it doesn't matter what browser you use as ALL of them are affected since Apple requires web browsers to use the Safari/webkit engine.
You should probably check what the first amendment of the USA is actually about. Seems like you don't understand it. Besides, Macrumors is a site accessible by everyone around the world, not only for Americans.
Right, of the top 1000 sites, only 30 used IndexedDB, so they can barely “track you across the internet in real-time”. They can track you among those 30 sites and potentially “more”. And “more” could mean 4.
Understood and I follow. So, if you have 70 tabs open and only 3 of those are on that list of 30, then closing all those tabs would still provide visibility into the fact that you’ve visited those 3 sites IF you visit a page that has implemented the exploit.
Some sites just don't work unless I use Safari. I was installing new wifi and even Safari wouldn't work, so I had to download (CRINGE) Chrome. *GAG* But tossed it as soon as I got the system up and running. I knew people that clung to IE on Windows. Some people, you just can't save them.
Correct. Like I said, not a particularly worrisome bug. Though I suspect that there are a lot more than 30 sites using the IndexedDB API. Anyway, Apple already fixed this in WebKit and presumably will distribute the fix in the next releases of iOS, iPadOS, and macOS.Right, of the top 1000 sites, only 30 used IndexedDB, so they can barely “track you across the internet in real-time”. They can track you among those 30 sites and potentially “more”. And “more” could mean 4.
Understood and I follow. So, if you have 70 tabs open and only 3 of those are on that list of 30, then closing all those tabs would still provide visibility into the fact that you’ve visited those 3 sites IF you visit a page that has implemented the exploit.
Right, I think they’re using it, but not in a way that makes it as easily identifiable as the 30, meaning you’d have to put in a little work to figure it out and the author just didn’t want to.
The actual code to see the database names is a simple promise:
indexedDB.databases().then(databases => {
console.log(databases)
})That retrieves the names of the databases. Now you have to manually match those names to actual websites. Tedious but pretty easy to do. I guess you could just load up the top 1000 websites and automate it by looping over the sites and then recording/storing the names of any databases you found.
LOL, take it to MSRumors. I have few if any bugs in Monterey, I do admit there have been a few reported that needed fixing. But even with a new OS on new hardware, still makes that outdated Windows look like a POS
Well, this is the World, not just America. Some of us don't actually live in the US. The US is not the World. Drives me nuts when American's think that the US is the centre of the universe. It's not.
Second, you must earn your privilege to post on politically-charged articles. That's to keep the flames at bay. Forums that don't do this have one-shot posters registering, posting and then never using that account again. It's a real mess, so kudos to MacRumors for placing a barrier in place. It's not about free speech, it's about reputation as a poster. You wouldn't be allowed to walk into a private building and say whatever you want without consequences. MacRumors owns this space. They host your comments. It's proactive moderation.
Now, back on topic, I'm surprised that Apple hasn't already issued a fix. Usually they act faster than this when a bug gets headlines.
Ah, but I think if the resulting data showed anything even remotely concerning (or something that could be twisted into being concerning), the security researcher would have provided it as further poof that they are indeed a serious security researcher worth everyone’s notice and attention!
I have a feeling that you probably had one bad experience and judged the entire lifetime of the browser based on that, both backwards and forwards. The browser is "tainted" in your eyes, no matter how much it improves, right?
I have tried many browsers over the years, but continue returning to Safari. I prefer its text rendering, its look and feel, iCloud integration, logic keyboard shortcuts, etc. Lots of reasons that it just feels better to me overall. Do I think it's better than the others in every way? No, of course not, but it's better for me.
I never mentioned anything about the bug, just that actual Safari itself sucks as a browser. Many others render pages faster, are more secure, and have better features. Safari is bloated, displays ads, their content blocker sucks, and on and on. People using Safari are really missing out on some great alternatives.
Do you really think Apple doesn’t have an entire software department dedicated to bug fixes?
Fix bugs + add new ones, yes they sure do.
Feel free to Twitter your heart out. When Americans stop believing in science, politics becomes total bull excrement.
Last edited: