Apple Working To Patch Safari Data Leak Vulnerability

Oh dear, not so private. Webkit browser engine flaw has been leaking user ID and browser data since iOS 15 went live in September 2021

Apple is working on a fix for a serious vulnerability with its Safari browser, that leaks a user’s browsing history and user IDs.

Research published last week by FingerprintJS has revealed a vulnerability in Apple’s WebKit browser engine that powers the Safari 15 browser (and other iOS browsers).

Indeed, so serious is the flaw is that it has been leaking user ID and browser information since iOS 15 went live in September last year.

WebKit flaw

FingerprintJS said the software bug introduced in Safari 15’s implementation of the IndexedDB API that lets any website track a user’s internet activity and even reveal their Google User ID.

The Google User ID is an internal identifier generated by Google.

It uniquely identifies a single Google account. It can be used with Google APIs to fetch public personal information of the account owner.

FingerprintJS took the responsible action and reported the leak to the WebKit Bug Tracker on 28 November.

The flaw centres around WebKit, which is Apple’s browser engine that powers Safari and other web browsers.

Since WebKit is an open-source engine, updates related to the bug are public and can now be seen on GitHub.

The vulnerability discovered by FingerprintJS was in the implementation of IndexedDB, which is a Javascript API used to store data.

The bad news is that malicious websites can utilise the exploit to see URLs recently visited by a user and even obtain a person’s Google User ID, which can be used to find personal information about the user.

No fix yet

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy,” said FingerprintJS.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” it said. “Windows and tabs usually share the same session, unless you switch to a different profile, in Chrome for example, or open a private window.”

The really bad news is that there doesn’t seem to be a solution at the moment, other than switching to a non-iOS based web browser.

Or roll back to using Safari 14 – as the WebKit version used in Safari 14 is not affected by the bug.

“Unfortunately, there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures,” noted FingerprintJS. “One option may be to block all JavaScript by default and only allow it on sites that are trusted. This makes modern web browsing inconvenient and is likely not a good solution for everyone.”

Apple however is working on a fix, but there are not details as to when the fix will be available.

The fix however will require Apple to release updated builds of iOS 15 and macOS Monterey to include a new version of Safari using the latest WebKit engine.