Data Backup Digest

Do-It-Yourself Windows File Recovery Software: A Comparison

results »

Safari 15 Bug Exposes Private User Data

Apple’s operating systems are often considered amongst the most secure platforms available. Not only are there fewer Apple machines in use, but the developers with Apple always make security their topmost priority. Because of this, Apple users have come to expect certain levels of security and privacy when using their devices.

That’s why it’s so surprising to hear that a recent bug in Apple’s latest Safari web browser, version 15, introduces a new bug that could jeopardize the privacy of its users. Using Safari in incognito mode, which is meant for the maximum amount of privacy, doesn’t resolve the bug. Although a fix has already been issued, users were advised to disable Javascript until the issue was finally resolved.

Examining the Bug

Given such an emphasis on user and consumer privacy in the 21st century, this new bug was quite significant. Not only could it reveal what websites individual users are visiting on a day-to-day basis, but it could also be exploited to reveal specific user identification, too.

Making matters worse is the fact that no user interaction was actually required in order for the bug to take effect. While most viruses, malware, and ransomware need to actually be executed by the user, or at least installed on their machine, this isn’t the case with the latest Safari bug.

Instead, the bug targeted IndexedDB to leak data across multiple sources. Since many popular websites use IndexedDB via an API on their homepage, it’s a bug that had the potential to impact thousands – if not millions – of Safari users.

Moreover, the bug had the potential to impact users on other operating systems and web browsers, too. Although Windows users were spared, those running Google Chrome or Mozilla Firefox with Apple iOS or iPadOS utilize the WebKit engine for rendering purposes. As such, these users are vulnerable to the new Safari bug, too.

The bug was originally uncovered by Fingerprint.js, which disclosed their findings directly to Apple in late November 2021. Because the company failed to respond, they eventually released the information to the public.

Martin Bajanik, an engineer with Fingerprint.js, summarized the bug in a recent blog post by saying: “The fact that database names leak across different origins is an obvious privacy violation. It lets arbitrary websites learn what websites the user visits in different tabs or windows.”

Jake Archibald, a developer with Google’s Chrome web browser, also expressed concern by saying: “This is a huge bug. On OSX, Safari users can switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines.”

Fixing the Bug

While it’s important to note that the team with Apple has fixed the bug at the time of this writing, their solution didn’t come quickly or easily. It went addressed for months after they were originally notified of the issue, and similar events like this have happened in the past. However, once the bug became public knowledge, their development team immediately went to work on a fix.


No comments yet. Sign in to add the first!