Apple Safari flaw can leak users' recent browsing history and personal identifiers

The bug also affects third-party browsers on Apple devices, like Chrome

Image:
The bug also affects third-party browsers on Apple devices, like Chrome

The vulnerability stems from an issue with Apple's implementation of a JavaScript API which is part of Apple's WebKit

Researchers have disclosed details of a weakness in Apple's Safari browser an attacker can leverage to steal information about your recent browsing history, and even some details of your logged-in accounts, like your Google ID.

According to the team at FingerprintJS, the vulnerability stems from an issue with Apple's implementation of a JavaScript API called IndexedDB, part of Apple's WebKit.

IndexedDB stores data about the websites a user visits, so those sites can load quickly if they return. The tool shouldn't allow data from one point of origin to interact with data from other origins, but the security flaw means this is currently not happening in Safari.

As a result of the bug, any website that uses IndexedDB can access the names of IndexedDB databases created by other sites during a user's browsing session.

"In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy," software engineer Martin Bajanik noted in a blog post.

"Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session."

Using the exploit described in the blog post, a malicious website could steal a user's Google User ID from websites like YouTube, Google Keep or Google Calender. Because the ID is used to make API requests to Google services, an attacker could use it to uncover other personal information about the user.

As well as Safari, third-party browsers like Chrome on iOS 15 and iPadOS 15 are also affected, as Apple requires all browsers on the iPhone and iPad to use WebKit.

Users of Safari, iPadOS and iOS can't rid themselves of the flaw without taking "drastic measures" like blocking all JavaScript, which would make modern web browsing extremely inconvenient.

FingerprintJS researchers reported the bug to the WebKit Bug Tracker on 28th November, and Apple engineers began working on it at the weekend. They merged potential fixes and marked the researchers' bug report as resolved.

However, the bug still exists for end users until the changes are released.

It is not the first time that researchers have discovered security vulnerabilities impacting Safari and Webkit.

Last year, Apple had to re-release its browser to address bugs introduced by a previous update.

In March, Apple released an urgent security patch to address a zero‑day bug under active attack in Webkit.

In January 2020, the iPhone maker addressed three zero-day bugs - CVE-2021-1870 and CVE-2021-1871 affecting WebKit and CVE-2021-1782 in the iOS kernel - which criminals could use to achieve remote code execution after elevating privileges on a vulnerable system.