Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission.Learn more.
This Safari bug could be leaking your recent browsing history
In This Article
It’s been uncovered that a Safari 15 bug can disclose your recent browsing history and even some info from logged-in Google accounts.
A blog post fromFingerprintJS(via9to5mac) has revealed that a huge bug in Safari 15 can actually leak your recent browsing history from the app.
Anyone that has linked their Google account onto Safari could also be at risk of their personal information being revealed too.
This vulnerability has been linked back to an issue with the way Apple implementsIndexedDB, which is an application programming interface (API) that stores data on your browser.
The bug means that a website can see the names of databases for any domain on Mac and iOS, not just their own. Using the names, websites can extract identifying information from a lookup table.
Kaspersky Home Security
Keep your online activity safe and private across multiple devices – without compromising speed.
Check out Kaspersky’s new security plans from just £10.99 per year
For instance, if you were to open up your email on one webpage and then open up another webpage that happens to be malicious, Apple’s application of API means that the malicious website can view your email and scrape your Google User ID, which can be used to find out more information about you.
This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.https://t.co/aXdhDVIjTT
Usually, a policy called same-origin policy would block this from happening, as it restricts one origin from interacting with data that is collected elsewhere; in other words, if you were to open your email and then a malicious website, the dangerous website would have no way of accessing your email or other webpages you interact with.
FingerprintsJS also mocked up aproof-of-concept demo, which shows us a lookup table of around 30 domain names that include the browser’s IndexedDB vulnerability, including Netflix, Twitter and Xbox. You can use the site if you have Safari on any Apple device to see any sites you have opened recently and see how the bug can access your information.
However, it has been pointed out that the same technique could be used on a larger set of domain names, with any website that uses IndexedDB JavaScript API now vulnerable to data scraping.
Unfortunately, all current versions of Safari on iOS and Mac are unprotected, with Apple currently not commenting on the issue that was originally reported by FingerprintJS on 28 November.
We will be sure to keep you updated with this leak as soon as more information comes out. We have reached out to Apple for a comment but had not heard back at the time this article was written.
Kaspersky Home Security
Keep your online activity safe and private across multiple devices – without compromising speed.
Check out Kaspersky’s new security plans from just £10.99 per year
You might like…
Gemma joined Trusted Reviews as a staff writer after graduating from Leeds Beckett University with a Journalism degree. She’s worked with national outlets, covering breaking news stories to reviews fo…
Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.
Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
Why trust our journalism?
Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.
Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.
Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.
We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.
