Safari 15 bug leaks your iPhone and Mac browsing activity as you work
[ad_1]
Just days after Apple patched a bug that could allow a hacker to send your iPhone into an endless loop of crashes, FingerprintJS has uncovered a Safari vulnerability that could expose your internet activity and personal data to an open website.
The bug originates in the IndexedDB API, which is used for client-side storage of significant amounts of structured data, according to Mozilla. As FingerprintJS explains, since IndexedDB is a low-level API used by all major browsers, many developers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”
As such, Safari’s version of IndexedDB is violating the same-origin security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins, according to FingerprintJS. Consequently, arbitrary websites could spy on the other websites a user visits in different tabs or windows.
Since some websites use unique user-specific identifiers in database names, FingerprintJS explains that authenticated users can be “uniquely and precisely identified” by sites such as YouTube, Google Calendar, and Google Keep. And since you’ll be logged in to those sites using your Google ID, the databases created for that account could be leaked, which include personal information. FingerprintJS uncovered several other sites vulnerable to the bug, including Twitter and Bloomberg.
You can see the bug in action using a demo created by FingerprintJS. The only known mitigation is to change browsers on macOS. iOS and iPadOS users have fewer options due to Apple’s handling of browser engines, though FingerprintJS notes that users could block all JavaScript by default and only allow it on trusted sites. That, or just wait for an update to arrive. Apple is currently preparing iOS 15.3 and macOS 12.2 for release, but it’s unclear if it includes a Safari fix.
Michael Simon has been covering Apple since the iPod was the iWalk. His obsession with technology goes back to his first PC—the IBM Thinkpad with the lift-up keyboard for swapping out the drive. He’s still waiting for that to come back in style tbh.
[ad_2]
Source link