Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS.

safari icon blue banner
In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often unique and specific to each website. The correct and normal behavior should be that websites can only access their own IndexedDB databases.

In some cases, websites use unique user-specific identifiers in IndexedDB database names. For example, YouTube creates databases that include a user's authenticated Google User ID in the name, and this identifier can be used with Google APIs to fetch personal information about the user, such as a profile picture, according to FingerprintJS. This personal information could help a malicious actor to determine a user's identity.

The bug affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers to use WebKit on the iPhone and iPad. FingerprintJS has a live demo of the bug that indicates older browsers like Safari 14 for Mac are unaffected.


FingerprintJS noted that no user action is required for a website to access IndexedDB database names generated by other websites.

"A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time," the blog post said. "Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site."

Private browsing mode does not protect against the bug in affected Safari versions.

Users will need to wait for Apple to address the bug with software updates — we've reached out to Apple to see if a fix is planned. In the meantime, Safari 15 users could temporary switch to a different browser on the Mac, but this is not possible on the iPhone or iPad since all browsers are affected by the WebKit bug on those devices.

The bug was reported to the WebKit Bug Tracker on November 28. More details can be found in FingerprintJS's blog post, reported earlier by 9to5Mac.

Update: Apple has prepared a fix for the bug, according to a WebKit commit on GitHub, but Apple still needs to release macOS and iOS updates with an updated version of Safari before the fix is available to users. Apple declined to provide a timeframe.

Tag: Safari

Top Rated Comments

LoveTo Avatar
30 months ago
I feel like I should just burn all my gadgets and go live in the mountains. ?
Score: 64 Votes (Like | Disagree)
planteater Avatar
30 months ago
Reported on November 28. That was a long time ago to have such a serious bug unpatched. I'd like to hear Apples response.
Score: 33 Votes (Like | Disagree)
antiprotest Avatar
30 months ago

I feel like I should just burn all my gadgets and go live in the mountains. ?
Then you will have no way to know if someone put an AirTag on you.
Score: 26 Votes (Like | Disagree)
nadozza Avatar
30 months ago

Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.
What does this have to do with Monterey? It’s a bug in WebKit. One they should have dealt with by now, but it’s not Monterey or MacOS specific.
Score: 25 Votes (Like | Disagree)
citysnaps Avatar
30 months ago

Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.
Please...don't say stuff like that when I'm drinking milk. Not pretty.
Score: 23 Votes (Like | Disagree)
Celtic-moniker Avatar
30 months ago

Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.
Microsoft fixes bugs and adds features? I think you meant Linux.
Score: 16 Votes (Like | Disagree)

Popular Stories

maxresdefault

Apple Event Rumors: iPad Pro With M4 Chip and New Apple Pencil With Haptic Feedback

Sunday April 28, 2024 6:19 am PDT by
In his Power On newsletter today, Bloomberg's Mark Gurman outlined some of the new products he expects Apple to announce at its "Let Loose" event on May 7. Subscribe to the MacRumors YouTube channel for more videos. First, Gurman now believes there is a "strong possibility" that the upcoming iPad Pro models will be equipped with Apple's next-generation M4 chip, rather than the M3 chip that...
iOS 18 General Notes Feature 2

iOS 18 Rumored to 'Overhaul' Notes, Mail, Photos, and Fitness Apps

Sunday April 28, 2024 6:44 am PDT by
Bloomberg's Mark Gurman today said that iOS 18 will "overhaul" many of Apple's built-in apps, including Notes, Mail, Photos, and Fitness. Gurman did not reveal any specific new features planned for these apps. It was previously rumored that the Notes app will gain support for displaying more math equations, and a built-in option to record voice memos, but this is the first time we have...
iPad Pro OLED Feature 2

Apple to Use 'Best OLED Panels on the Market' for Upcoming iPad Pro

Monday April 29, 2024 10:04 am PDT by
Apple's upcoming iPad Pro models will feature "by far the best OLED tablet panels on the market," according to Display Supply Chain Consultants. Set to be announced on May 7, the OLED iPad Pro models will feature LTPO (a more power efficient form of OLED), a 120Hz ProMotion refresh rate, and a tandem stack and glass thinning that will bring "ultra-thin and light displays" that support high...
maxresdefault

Apple Announces 'Let Loose' Event on May 7 Amid Rumors of New iPads

Tuesday April 23, 2024 7:11 am PDT by
Apple has announced it will be holding a special event on Tuesday, May 7 at 7 a.m. Pacific Time (10 a.m. Eastern Time), with a live stream to be available on Apple.com and on YouTube as usual. The event invitation has a tagline of "Let Loose" and shows an artistic render of an Apple Pencil, suggesting that iPads will be a focus of the event. Subscribe to the MacRumors YouTube channel for more ...
iOS 18 Siri Integrated Feature

iOS 18 Rumored to Add These 10 New Features to Your iPhone

Wednesday April 24, 2024 2:05 pm PDT by
Apple is set to unveil iOS 18 during its WWDC keynote on June 10, so the software update is a little over six weeks away from being announced. Below, we recap rumored features and changes planned for the iPhone with iOS 18. iOS 18 will reportedly be the "biggest" update in the iPhone's history, with new ChatGPT-inspired generative AI features, a more customizable Home Screen, and much more....
top stories 27apr2024

Top Stories: Apple Announces 'Let Loose' Event With New iPads and More Expected

Saturday April 27, 2024 6:00 am PDT by
New iPads are coming, and Apple is holding a virtual event to introduce them! While it appears likely to be a relatively short video event, we should be seeing new iPad Pro and iPad Air models, some new accessories, and perhaps some additional surprises. Other Apple news and rumors this week included word that Apple is FINALLY planning to introduce a native Calculator app for the iPad later...