Safari 15 may have a serious security flaw, and there's no patch in sight

(Image credit: Apple)

Security experts have uncovered a major flaw in the latest version of Apple’s internet browser which is leaking browsing history and even some identity data saved in associated Google accounts.

According to a blog post from cybersecurity service providers FingerprintJS, the problem lies in an Apple API - IndexedDB, used to store data in Safari 15.

Safari 15 has a security measure that prevents malicious pages, opened in one tab, to read the data generated by websites opened in another tab. According to FingerprintJS, IndexedDB API in Safari 15 does not abide by this policy (called the same-origin policy), and instead - “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

No patch yet

The researchers have also explained how the flaw can be leveraged to obtain Google account data. Google’s services (for example, YouTube) generate databases containing the unique Google User ID in their names. As these IDs are used to access public information, such as a profile picture, other sites could see it, as well. 

To show how a website can learn any visitor's recent and current browsing activity, the researchers also built a demo which you can find on this link. At the moment, it detects 30 affected sites, but the list is probably a lot bigger.

Right now, there doesn’t seem to be a solution to the problem. As reported by The Verge, the problem even affects Private Browsing mode on Safari, and with Apple’s third-party browser engine ban on iOS, all other browsers are affected, as well. 

The flaw has been reported to the WebKit Bug Tracker in late November last year, but Apple is yet to issue an update for the browser, and remains silent on the matter.

One option, suggested by the researchers, is to block all JavaScript by default and only allow it on trusted sites. However, this makes modern web browsing “inconvenient and is likely not a good solution for everyone,” they concluded.

Via: The Verge

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.