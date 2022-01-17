



Apple touts itself as a privacy-focused company, but devices connected to the Internet aren’t really secure. And despite that claim, the company can take a long time to patch reported exploits. The latest report emphasizes that malicious websites may access details of a user’s Google account and some of their recent browsing history in Safari. This exploit was shared with Apple in November, but hasn’t been resolved yet.

FingerprintJS has published this serious Safari bug in a recent blog post (via 9to5Mac). Safari’s IndexedDB implementation on Apple’s operating system allows websites to read database names from other domains. This implementation does not allow access to the actual content of the database, but the name itself can reveal a lot about the user. For example, Google uses the user’s unique ID as the database name to store the data for the logged-in account. This will allow your website to access more information as your Google User ID will be used to make Google Service API requests. This bug fix prevents websites from displaying database names in other domains. FingerprintJS explains further:

Note that these leaks do not require any specific user action. Tabs or windows that run in the background and continuously query the IndexedDB API for available databases can learn other websites that users access in real time. Alternatively, a website can open any website in an iframe or pop-up window to trigger an IndexedDB-based leak for a particular site.

Given the seriousness of this bug, it’s unclear why Apple hasn’t patched it yet. When this exploit is released, we can expect the company to patch it in the next build of iOS 15.3. In the meantime, if you’re using macOS, you can protect yourself by switching to another web browser. Unfortunately, all iOS and iPad OS browsers are affected because they are based on Apple’s WebKit.

