IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Safari bug lets websites track browsing activity and unique identifiers

The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15

Researchers have found a bug in Apple's Safari browser that allows websites to track a user's browsing activities across other sites.

The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user's unique ID for some websites to other sites that they visit.

The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It lies in WebKit's implementation of the Indexed Database API, commonly called IndexedDB, a JavaScript API that browsers use to access a database of objects, and it frequently stores data generated while interacting with a web application. This includes a user's unique ID for interacting with web applications, such as their Google ID.

When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain's stored information, which could include sensitive user or session data.

Related Resource

Bridging the DevSecOps divide: Spotlight on key relationships

The importance of relationships between security and development

Whitepaper title on a white page with a green trapezoid across the coverFree download

FingerprintJS found that WebKit's IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.

FingerprintJS called the bug a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," the company said in its analysis of the bug. "This is possible because database names are typically unique and website-specific."

The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user's ID on other sites. Using this ID to look up the user's assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.

The bug affects all browsers on iOS 15 because Apple mandates the use of WebKit on this platform in its developer guidelines. Section 2.5.6 says "Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript."

FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple's engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Apple "completely redesigns" IT certifications, introduces two new exams
Careers & training

Apple "completely redesigns" IT certifications, introduces two new exams

19 May 2022
Apple executive rejoins Google over remote work policy
flexible working

Apple executive rejoins Google over remote work policy

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Three lessons the iPod can teach us about disruption
Technology

Three lessons the iPod can teach us about disruption

11 May 2022

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022