If you care about your privacy you mean need to put down your iPhone, after a serious implementation bug in Safari means any website is able to read some of your private data and recent browsing history, even when using Private Browsing mode.

The issue is with how Safari implements IndexedDB, a browser-based database commonly used by web apps. Most browsers create a new instance of IndexedDB for each website, which can only be accessed from that website.

Safari however creates empty versions of the IndexedDB created by each web page in each other web page, meaning for IndexedDB Safari does not respect same-origin policy properly.

Even though the shadow copies of IndexedDB created for other web pages are empty, they still have the same name as the actual database created by the original web app, which can leak private information. The mere presence of the database will let other web pages know that you visited another website, for example, the presence of the Netflix IndexedDB could tell Amazon that you are a Netflix user. Even worse, however, the name of the database may leak your credentials. The name of the database for Google apps (such as Gmail or YouTube) include your GoogleID for example, which can be used to access your publicly-available information, such as your profile picture.

The bug was discovered and reported by FingerprintJS on the 28th of November, but so far Apple has not taken any action.

You can test out the issue at FingerprintJS’s proof of concept website here, which will check if you visited 30 different major websites recently.

On macOS users can and should use an alternate browser, but on iOS all browsers use the Safari web engine, meaning all iPhone users have no mitigation except to stop using the browser on their phone.

Watch FingerprintJS’s explainer video below:

YouTube player

via the Verge

Comments