New Safari bug could compromise user’s browsing history; infect third party browsers

A recently discovered bug in the Safari browser could potentially compromise users’ data and their browsing history, as per a blog post by FingerPrintJS, a browser fingerprinting library.   

Browser fingerprinting can be referred to as the methods by which websites use special scripts to collect information about the person, through which they can identify a user out of the potential sea of other users.   

The news of a new bug comes just days after Apple announced that it released the 15.2.1 update for iOS and iPadOS to fix bugs and a potentail vulnerability with Siri's smarthome platform called HomeKit. 

The bug, called as IndexedDB, allows any website to access the names of IndexedDB databases which are collected by other websites through browser history. The bug could allow one website to track user visits in different tabs or windows.  

However, IndexedDB databases are supposed to be accessible only by the websites that collects its own unique IndexedDB data.   

It is pertinent to mention here that some websites use certain identifiers in IndexedDB names. YouTube for example, includes the user’s Google ID in the name of their IndexedDB data, this in turn can be used by APIs by Google to collect personal information on the user, such as profile pictures, FIngerPrintJS said, which could be used by a threat actor to gauge a person’s identity.   

Which devices does the bug affect?   

The bug has been seen to affect Safari 15 browsers on Mac, along with all Safari versions on Ios15 and iPadOS15. An additional worry is that it has been noticed to infect third-party browsers such as Chrome on ios15 and ipadOS15.    

More specifically, the bug seems to target new versions of browsers that use WebKit, which is Apple’s open source browser engine. This also explains why third party browsers such as Chrome are vulnerable, owing to Apple’s policy that all browsers need to utilise WebKit on their devices.   

FingerprintJS also put out a video showing how it compromises personal data.