IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Safari bug lets websites track browsing activity and unique identifiers

The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15

Researchers have found a bug in Apple's Safari browser that allows websites to track a user's browsing activities across other sites.

The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user's unique ID for some websites to other sites that they visit.

The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It lies in WebKit's implementation of the Indexed Database API, commonly called IndexedDB, a JavaScript API that browsers use to access a database of objects, and it frequently stores data generated while interacting with a web application. This includes a user's unique ID for interacting with web applications, such as their Google ID.

When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain's stored information, which could include sensitive user or session data.

Related Resource

Bridging the DevSecOps divide: Spotlight on key relationships

The importance of relationships between security and development

Whitepaper title on a white page with a green trapezoid across the coverFree download

FingerprintJS found that WebKit's IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.

FingerprintJS called the bug a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," the company said in its analysis of the bug. "This is possible because database names are typically unique and website-specific."

The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user's ID on other sites. Using this ID to look up the user's assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.

The bug affects all browsers on iOS 15 because Apple mandates the use of WebKit on this platform in its developer guidelines. Section 2.5.6 says "Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript."

FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple's engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.

Featured Resources

What 2023 will mean for the industry

What do most IT decision makers really think will be the important trends and challenges in the coming year?

Free Download

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Free Download

IDC MarketScape: Worldwide unified endpoint management services

2022 vendor assessment

Free Download

Magic quadrant for application performance monitoring and observability

Enabling continuous updating of diverse & dynamic application environments

View Now

Recommended

Apple issues patch for macOS security bypass vulnerability
Security

Apple issues patch for macOS security bypass vulnerability

20 Dec 2022
Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability
Security

Apple issues fix for ‘actively exploited’ WebKit zero-day vulnerability

14 Dec 2022
Apple steps up user security with end-to-end encryption for iCloud
encryption

Apple steps up user security with end-to-end encryption for iCloud

8 Dec 2022
Apple and AMD will both be 'major customers' of TSMC's new Arizona fabs
Hardware

Apple and AMD will both be 'major customers' of TSMC's new Arizona fabs

7 Dec 2022

Most Popular

Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
European partners expect growth this year, here are three ways they will achieve it
Sponsored

European partners expect growth this year, here are three ways they will achieve it

17 Jan 2023