Last fall, Safari received its last major update in the form of Safari 15, followed shortly after by Safari 15.1 a month later. However, it does not appear that the update has gone exactly according to plan on the security front. According to a recent report from Fingerprints The update contains a serious security issue, wherein information about the user may be leaked and used by malicious parties.
This particular security hole was reported recently in November last year, by Webkit Bug Tracker, but Apple has not taken any action yet. The problem stems from a seemingly unsuccessful implementation of Indexeddb, whose purpose is to store information locally in the browser. In normal cases, the browser with this index works after the so-called extension same origin-Policy. The purpose of this policy is to isolate each individual tab, since one tab should not have access to information handled in other tabs. In the case of Safari 15, this policy is ignored, allowing tabs to interact with each other without the user’s knowledge.
In practice, this means that a website can, for example, distinguish data from other stored websites, which could reveal the identity of the user. Fingerprintjs claims that if a website uses Google services, such as a Google account, YouTube, or Google Calendar, the user ID of those services may be retrieved. Through the user ID, profile pictures and other public information that identifies the user can then be posted between tabs.
At the time of writing, there’s not much the end user can do about it, other than switch browsers until the issue is fixed. However, it can be a problem depending on the device used. This is because Apple has chosen to block third-party browser engines in its phones, leaving iOS users vulnerable regardless of the browser used.
I collected one fingerprint demo site that can be visited. This shows whether the browser is vulnerable to this type of leak and a list of sites that can directly use this exploit. The list includes big names like Slack, Bloomberg, Dropbox, and Xbox. In addition, Fingerprinjs also has one Video Where they go through the problem, explain how the exploit works and how the test website can be used to identify any leaks.
Have you updated to the latest version of Safari, and do you care about the information the website handles? Feel free to discuss the topic!
“Entrepreneur. Freelance introvert. Creator. Passionate reader. Certified beer ninja. Food nerd.”