News Categories

A bug in Safari allows other websites to track your recent browsing activity (Update: The fix is here)

By Kenny Yeo - on 27 Jan 2022, 8:45am

A bug in Safari allows other websites to track your recent browsing activity (Update: The fix is here)

Note: This article was first published on 17 January 2022 and was updated on 27 January 2022 with details of a fix.

FingerprintJS, a browser fingerprinting and fraud detection service, has discovered a bug in Safari 15 that could leak your browsing activity to other websites.

This issue is caused by Safari's implementation of IndexedDB, an API that stores data on your browser. IndexedDB abides by something called the "same-origin policy."

Essentially, it means only the website that generates the data can access it. This makes sense and it means that even if you open a malicious webpage in one tab, it doesn't immediately have access to data in other tabs.

The problem with Safari is that it violates this policy. Whenever Safari interacts with a website and a database, "a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session."

This practice allows other websites to see the name of other databases and therefore your recent browsing activity. Furthermore, these databases often contain details that can be used to identify the user, such as your unique Google ID.

FingerprintJS created a proof-of-concept demo on this page which you can try if you are running Safari 15 and above on your Mac, iPhone, and iPad. It shows how sites can exploit the bug and scrape information from your browsing activity.


What can I do?

Neither Apple nor WebKit has commented on this issue, but it's reasonable to expect them to issue an update to patch this bug soon.

In the meantime, Mac users can consider switching to another browser. iOS users, unfortunately, have no way around this since Apple bans third-party browser engines on iOS.


A fix is coming (Updated on 21 Jan 2022)

Reports say that the newest release candidates for macOS 12.2 and iOS 15.3 contain fixes for this bug. These release candidates have just been made available to developers and beta users. That said, there's no word on when macOS 12.2 and iOS 15.3 will be available to the public.


The fix is here (Updated on 27 Jan 2022)

Apple has just released macOS Monterey 12.2, iOS 15.3, and iPadOS 15.3 that contains fixes for this bug. 

Source: FingerprintJS via 9to5 Mac (1), (2)

Join HWZ's Telegram channel here and catch all the latest tech news!
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.