Safari bug lets websites track browsing activity and unique identifiers

Shutterstock

Scientists have discovered a bug in Apple’s Safari browser that makes it possible for web sites to keep track of a user’s searching routines across other web pages.

The bug, uncovered by browser fingerprinting services FingerprintJS, also exposes a user’s exclusive ID for some internet sites to other web pages that they pay a visit to.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

The flaw, uncovered in Apple’s WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It lies in WebKit’s implementation of the Indexed Database API, normally known as IndexedDB, a JavaScript API that browsers use to access a databases of objects, and it frequently retailers knowledge produced when interacting with a web application. This incorporates a user’s unique ID for interacting with web applications, this sort of as their Google ID.

When effectively implemented, IndexedDB follows the similar-origin principle. This ensures that data stored from a web web page is only offered to web internet pages from the identical domain. It stops in excess of-inquisitive web pages from accessing other domain’s stored information, which could include sensitive user or session data.

FingerprintJS uncovered that WebKit’s IndexedDB implementation fails to notice the identical-origin basic principle, alternatively earning saved details offered to web web-sites from other domains.

FingerprintJS referred to as the bug a privacy violation. “It allows arbitrary internet websites find out what internet sites the person visits in various tabs or windows,” the corporation claimed in its analysis of the bug. “This is possible simply because database names are usually unique and website-unique.”

The corporation located some internet websites utilizing user-certain IndexedDB knowledge this sort of as ID figures in their IndexedDB database names, creating it quick for any other site to obtain out a user’s ID on other internet sites. Making use of this ID to glance up the user’s property (these kinds of as profile photos) could allow for identification of the consumer, the firm warned. Google websites retail outlet ID figures in this way, producing it attainable for other websites to harvest Google IDs working with the bug.

The bug impacts all browsers on iOS 15 because Apple mandates the use of WebKit on this system in its developer rules. Part 2.5.6 says “Applications that look through the web need to use the correct WebKit framework and WebKit Javascript.”

FingerprintJS stated that it experienced notified Apple of this bug on November 28 but Apple experienced not not patched it. Apple’s engineers began generating a patch on Sunday February 17, the working day that FingerprintJS revealed facts of the bug.