Safari bug lets websites track browsing activity and unique identifiers
The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15
Researchers have found a bug in Apple's Safari browser that allows websites to track a user's browsing activities across other sites.
The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user's unique ID for some websites to other sites that they visit.
When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain's stored information, which could include sensitive user or session data.
Bridging the DevSecOps divide: Spotlight on key relationships
The importance of relationships between security and developmentFree download
FingerprintJS found that WebKit's IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.
FingerprintJS called the bug a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," the company said in its analysis of the bug. "This is possible because database names are typically unique and website-specific."
The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user's ID on other sites. Using this ID to look up the user's assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.
FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple's engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomesFree Download
In unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growthFree Download
Achieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscapeFree Download
What is contextual analytics?
Creating more customer value in HR software applicationsFree Download