We reported a few days ago that Apple has a major privacy issue with their Safari browser, in that it creates empty versions of the IndexedDB web database for each web page in each other web page, meaning for IndexedDB Safari does not respect same-origin policy properly.

The mere presence of the database will let other web pages know that you visited another website, for example, the presence of the Netflix IndexedDB could tell Amazon that you are a Netflix user. Even worse, however, the name of the database may leak your credentials. The name of the database for Google apps (such as Gmail or YouTube) include your GoogleID for example, which can be used to access your publicly-available information, such as your profile picture.

The issue was reported to Apple on the 28th November 2021 but after 6 weeks of non-action was publicly disclosed a few days ago.

It appears this has finally spurred some action, as XDA-Dev reports that iOS/iPadOS 15.3 Release Candidate now contains a patched version of Safari 15.

Given that it is being tested in the Release Candidate, it will presumably roll out rapidly to regular iOS and Mac users.

For iPhone and iPad users, the fix can not come too soon. While macOS users can and should use an alternate browser,  on iOS all browsers use the Safari web engine, meaning all iPhone users have no mitigation except to stop using the browser on their phone.

Watch FingerprintJS’s explainer video about the bug below:

YouTube player

via the Verge

Comments