Pages: [1]   Go Down
  Print  
Author Topic: Safari 15 bug leaks your iPhone and Mac browsing activity as you work  (Read 143 times)
HCK
Global Moderator
Hero Member
*****
Posts: 79425



« on: January 21, 2022, 04:05:10 pm »

Safari 15 bug leaks your iPhone and Mac browsing activity as you work

<div id="link_wrapped_content">
<body><section class="wp-block-bigbite-multi-title"><div class="container"></div></section><p><strong>Update 1/19:</strong> Apple is working on a fix, according to a Github post.</p>



<p>Just days after Apple patched a bug that could allow a hacker to send your iPhone into an endless loop of crashes, <a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" rel="nofollow">FingerprintJS has uncovered a Safari vulnerability[/url] that could expose your internet activity and personal data to an open website.</p>



<p>The bug originates in the <a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" rel="nofollow">IndexedDB API[/url], which is used for client-side storage of significant amounts of structured data, according to Mozilla. As FingerprintJS explains, since IndexedDB is a low-level API used by all major browsers, many developers &ldquo;choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.&rdquo;</p>



<p>As such, Safari&rsquo;s version of IndexedDB is violating the same-origin security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins, according to FingerprintJS. Consequently, arbitrary websites could spy on the other websites a user visits in different tabs or windows.</p>



<figure class="wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter"><div class="wp-block-embed__wrapper">
<blockquote class="twitter-tweet" data-width="500" data-dnt="true"><p lang="en" dir="ltr">This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. <a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://t.co/aXdhDVIjTT&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" rel="nofollow">https://t.co/aXdhDVIjTT[/url]</p>&mdash; Jake Archibald (@jaffathecake) <a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://twitter.com/jaffathecake/status/1482627132903858176?ref_src=twsrc%5Etfw&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" rel="nofollow">January 16, 2022[/url]<script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></div></figure><p>Since some websites use unique user-specific identifiers in database names, FingerprintJS explains that authenticated users can be &ldquo;uniquely and precisely identified&rdquo; by sites such as YouTube, Google Calendar, and Google Keep. And since you&rsquo;ll be logged in to those sites using your Google ID, the databases created for that account could be leaked, which include personal information. FingerprintJS uncovered several other sites vulnerable to the bug, including Twitter and Bloomberg.</p>



<p>According to a <a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://github.com/WebKit/WebKit/commit/f73005ed826014988f8ee447de23927749fb56e5&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" data-type="URL" data-id="https://github.com/WebKit/WebKit/commit/f73005ed826014988f8ee447de23927749fb56e5" rel="nofollow">Webkit post on Github[/url] (<a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://9to5mac.com/2022/01/18/apple-working-on-a-fix-for-safari-bug-that-leaks-browsing-history-and-google-id/&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" data-type="URL" data-id="https://9to5mac.com/2022/01/18/apple-working-on-a-fix-for-safari-bug-that-leaks-browsing-history-and-google-id/" rel="nofollow">spotted by 9to5Mac[/url]), Apple is aware of the issue and working on a fix.</p>



<p>You can see the bug in action <a href="https://go.redirectingat.com/?id=111346X1569486&amp;url=https://safarileaks.com/&amp;xcust=1-1-605562-1-0-0&amp;sref=https://www.macworld.com/feed" rel="nofollow">using a demo created by FingerprintJS[/url]. The only known mitigation is to change browsers on macOS. iOS and iPadOS users have fewer options due to Apple&rsquo;s handling of browser engines, though FingerprintJS notes that users could block all JavaScript by default and only allow it on trusted sites. That, or just wait for an update to arrive. Apple is currently preparing <a href="https://www.macworld.com/article/560895/ios-15-3-features-security-updates-beta-install.html" data-type="URL" data-id="https://www.macworld.com/article/560895/ios-15-3-features-security-updates-beta-install.html">iOS 15.3[/url] and macOS 12.2 for release, but it&rsquo;s unclear if it includes a Safari fix.</p>
</body></div>

Source: Safari 15 bug leaks your iPhone and Mac browsing activity as you work
Logged
Pages: [1]   Go Up
  Print  
 
Jump to: