A bug has been discovered in Safari 15 that could leak Mac, iPhone and iPad users’ browser activity, and make personal information associated with their Google accounts visible to others. FingerprintJS discovered the vulnerability, and reports that, among other things, visited web pages may become visible to unauthorised persons as a result.
The problem lies in the way Safari for Mac and iOS implements Indexed DB, an API that stores data in the browser.
Apple reportedly became aware of the problem back in late November, but has yet to take action. This is despite the fact that it represents a potentially serious privacy breach.
The leak
When you go to a website that uses a local database in a new tab, a new empty database with the same name is created in all other tabs and windows (except private ones).
Most sites that use these databases give the database a name that makes it obvious which site it is. The result is that all other open sites can theoretically see which site you’ve just opened. When you close the tab, these databases are deleted, but by then it’s already too late.
“The fact that database names leak across different origins is an obvious privacy violation,” explains FingerprintJS. “It lets arbitrary websites learn what websites the user visits in different tabs or windows.”
More serious issues with Google
Unfortunately, it doesn’t end there. Some sites also use unique names that can be linked to a specific user. Google is the biggest and worst example here. That’s because Google uses an internal user ID as its database name, which means that a site programmed to exploit the Safari bug will find out your Google account’s internal ID code.
As if that wasn’t enough, a database is also created for each Google account you’re logged into. For example, if you’re logged into a personal and a work account, the spying site will know about both and can hide the connection between them.
Our recommendation
Until Apple fixes the bug, we recommend that refrain from logging into Google in Safari. The bug is easy to exploit and is guaranteed to be used by unscrupulous developers to create databases of users’ unique Google IDs.
In fact, users who care about privacy might be best advised to only use new private windows for each page they visit, or until then use an alternative browser that also takes privacy seriously, such as Firefox or Brave.
We round up the best Mac browsers and the best iPhone browsers in separate articles.
This article originally appeared on Macworld Sweden. Translation (using DeepL) and additional reporting by David Price.