We could all do a better job of keeping our online accounts and private data secure. Unfortunately, there’s only so much that we can do when the software we use leaves us vulnerable to major threats. For example, last Friday, the fraud prevention service FingerprintJS detailed a bug in Safari 15 capable of leaking browsing activity and personal data (via 9to5Mac). This bug affects the Safari on macOS, as well as every browser on iOS and iPadOS. If you own an Apple device, you’re at risk.
Today’s Top Deals
Safari bug leaks browsing activity and personal data
As FingerprintJS explains, the vulnerability is a result of Apple’s implementation of the IndexedDB API in Safari. IndexedDB stores data while you browse, and is meant to follow the same-origin policy. This policy ensures that data and documents from one website can’t be seen by another.
Safari 15 violates the same-origin policy. When a website you visit on Safari interacts with a database, “a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.” The database names Safari creates are now leaking across origins. Websites you visit can see the names of the other databases that have been created.
This is cause for concern, but it gets worse. FingerprintJS also notes that some websites have unique identifiers in their database names. Websites that use your Google account, such as YouTube, Google Calendar, or Google Keep, create databases that include an authenticated Google User ID. Malicious websites can not only see your ID, but can also use it to link together multiple accounts.
What can you do to protect your data?
To measure the severity of the bug, FingerprintJS checked the homepages of Alexa’s top 1000 most visited sites. More than 30 of those sites “interact with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate.” In reality, the number is likely far higher, especially when users begin visiting other pages or interacting with the site.
If you can’t quite wrap your head…