Skip to main content

Apple's Safari browser isn't as secure as you think — new bug lets websites unveil your identity

Safari
Safari (Image credit: K303 / Shutterstock.com)

Apple's catchphrase for Safari, the Cupertino-based tech giant's default browser, is "Blazing Fast. Incredibly Private." We can't contest the former, but the latter is questionable due to a new privacy-infiltrating bug spotted in macOS, iOS and iPadOS.

FingerprintJS, a tech startup that builds open-source fingerprinting APIs for preventing online fraud, recently published a blog post revealing that Safari 15 has a vulnerability that enables websites to track users' internet activity and unveil their identity.

Safari 15 bug leaks users' online digital trail

The culprit behind Safari's vulnerability is its Javascript API called IndexedDB, an in-browser database that stores users' data to support a web page or app. 

Ideally, websites should only "see" the names of databases for its own domain — not others. Unfortunately, this isn't the case with Safari 15; websites can use this exploit to track other webpages its visitors are exploring.

Let's use Google as an example since it keep tabs of account holders by storing an IndexedDB of each user. Let's say you're watching videos on YouTube. If you launch a new website that uses IndexedDB, it will be able to detect that you're visiting the video-sharing website. 

"The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows," FingerprintJS said.

Adding salt to our wounds, FingerprintJS added that if you're logged into your Google account, websites can also see your unique Google user ID and photo (if you've uploaded one for your account). A malicious actor can retrieve your avatar and use an image search engine to unveil your identity.

FingerprintJS reported the issue to Apple in late November. Apple engineers worked on the security vulnerability on Jan. 16 and marked FingerprintJS' bug report as resolved. However, a fix hasn't been released yet and the flaw "continues to persist for end users," the blog post said.

To see the vulnerability in action for yourself, you can run a proof-of-concept live demo. As mentioned, the vulnerability affects Safari 15 on macOS, iOS and iPadOS 15.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!