Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time

A bug in WebKit’s implementation of a JavaScript API known as IndexedDB can reveal your current searching historical past and even your identification, in accordance to a blog post shared on Friday by browser fingerprinting service FingerprintJS.

Safari Icon Blue Banner
In a nutshell, the bug permits any web site that makes use of IndexedDB to entry the names of IndexedDB databases generated by different web sites throughout a consumer’s searching session. The bug may permit one web site to observe different web sites the consumer visits in completely different tabs or home windows, because the database names are sometimes distinctive and particular to every web site. The right and regular conduct needs to be that web sites can solely entry their very own IndexedDB databases.

In some circumstances, web sites use distinctive user-specific identifiers in IndexedDB database names. For instance, YouTube creates databases that embrace a consumer’s authenticated Google User ID in the title, and this identifier can be utilized with Google APIs to fetch private details about the consumer, similar to a profile image, in accordance to FingerprintJS. This private data may assist a malicious actor to decide a consumer’s identification.

The bug impacts newer variations of browsers utilizing Apple’s open supply browser engine WebKit, together with Safari 15 for Mac and Safari on all variations of iOS 15 and iPadOS 15. The bug additionally impacts third-party browsers like Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers to use WebKit on the iPhone and iPad. FingerprintJS has a live demo of the bug that signifies older browsers like Safari 14 for Mac are unaffected.

FingerprintJS famous that no consumer motion is required for an internet site to entry IndexedDB database names generated by different web sites.

“A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time,” the weblog publish stated. “Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.”

Private searching mode doesn’t shield in opposition to the bug in affected Safari variations.

Users will want to watch for Apple to deal with the bug with software program updates — we have reached out to Apple to see if a repair is deliberate. In the meantime, Safari 15 customers may momentary change to a distinct browser on the Mac, however this isn’t doable on the iPhone or iPad since all browsers are affected by the WebKit bug on these gadgets.

The bug was reported to the WebKit Bug Tracker on November 28. More particulars might be discovered in FingerprintJS’s blog post, reported earlier by 9to5Mac.