It’s a bug that leaks information about your browsing habits.
Safari Bug Leaking Your Information
Apple continues its efforts to make its browser, Safari, safe from crop-site tracking. Its Privacy Report is designed to protect users.
However, a bug has been discovered that could undo all of Apple’s initiatives in protecting its users’ privacy.
In a blog post, FingerprintJS revealed that there’s an issue with the way the company executed IndexedDB API in its browser. The bug can let any type of website track your Internet activity. Because of that, it can determine your identity.
What is IndexedDB?
It’s a browser API. Major web browsers utilize it as client-site storage. It holds databases and many others.
The API uses a same-origin polity that limits what information can be accessed by a website. As a result, a site can only access generated data and not other sites.
Here’s the explanation of Martin Bajanik about the leaks in Safari:
“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session. Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window. For clarity, we will refer to the newly created databases as “cross-origin-duplicated databases” for the remainder of the article.”
The leak is bad because it allows sites to know what sites the user is visiting in different windows and tabs. Martin added that websites utilize unique identifiers in database names. Authenticated users can be precisely identified. YouTube, for instance, creates databases that include Google USER ID. Databases are created for every account.
He also stated that the leaks don’t need specific user action. A tab running in the background can access IndexedDB API for available databases. It can learn what other sites you’re visiting in real-time. Sites can also open any site in a pop-up window to trigger the leak for that particular site.
Many websites are using IndexedB. They can be uniquely identified using the databases that they interact with, says the report. FingerprintJS checked the top 1000 most visited websites and they found that over 30 sites were interacting with the indexed database on their homepage without the need for user interaction.
Even if you use the private mode of Safari, you’re not safe. However, the extent of information is reduced because private Safari windows are restricted to one tab.
Protecting Yourself
There’s not much you can do to protect yourself. But Martin suggested blocking all JavaScript by default. You must only allow JS on sites that you trust. Unfortunately, it’s not convenient for modern browsing. Alternatively, Martin suggested using a different browser in the meantime. But it’s not an option for iOS and iPADOS users because all browsers are affected by the bug.
