Safari bug could reveal your browsing history on Mac, iPhone or iPad

Safari problems could reveal your browsing history on Mac, iPhone or iPad

The Safari browser icon on the dock of a computer running macOS.

(Image credit: PixieMe/Shutterstock)

Update: Apple tree has released an update for iOS 15 to plug the security hole Safari .

A bug in Apple tree's Safari browser could reveal your recent web history and potentially your identity to whatever website you're using. And while Mac users can only switch to some other browser, iPad and iPhone users are out of luck, considering every alternative browser is also impacted.

In a blog post published on Fri, browser fingerprinting service FingerprintJS explained the root of the problem, which affects Safari 15 for Mac and all versions on iOS 15 and iPadOS 15.

It'southward all related to the way WebKit implements a JavaScript API called IndexedDB. The bug, which was reported to WebKit on November 28, means that while a website should only exist able to run into IndexedDB databases information technology has created, it can actually see those generated past any websites during the user's browser session.

As these entries are often unique to each website, that ways that a site could effigy out what other pages you're visiting in different tabs or windows. "A tab or window that runs in the groundwork and continually queries the IndexedDB API for bachelor databases tin can learn what other websites a user visits in existent-time," the post explains. "Alternatively, websites tin open whatever website in an iframe or popup window in lodge to trigger an IndexedDB-based leak for that specific site."

As some websites likewise create user-specific identifiers in the IndexedDB database names, that also ways that bad actors could use the exploit to figure out a seemingly anonymous browser's identity.

In the video below, FingerprintJS uses YouTube equally an example. In one case logged in, the ID is changed to include a string that, with a little legwork, can exist linked to a specific person:

IndexedDB databases can be accessed without whatever user input, the mail service adds, and enabling Private Browsing mode won't close the loophole either.

An assay of Alexa'due south top 1,000 near visited pages plant that over xxx "collaborate with indexed databases directly on their homepage, without any additional user interaction or the need to authenticate."

That doesn't audio besides bad, just FingerprintJS believes that it'south worse than it sounds. "We suspect this number to exist significantly college in real-earth scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page," the post continues.

Until a fix is issued, Mac users can simply switch to another browser, simply a similar solution isn't available for worried iPhone and iPad owners because Apple requires all browsers to utilise WebKit on its mobile platforms, pregnant Chrome and Firefox are as well afflicted.

"One option may be to cake all JavaScript by default and merely allow it on sites that are trusted," the blog mail explains, but it adds that this makes web browsing "inconvenient."

"The just real protection is to update your browser or OS once the issue is resolved by Apple," the mail concludes. "In the concurrently, we hope this article volition raise awareness of this outcome."

Freelance contributor Alan has been writing about tech for over a decade, roofing phones, drones and everything in between. Previously Deputy Editor of tech site Alphr, his words are found all over the web and in the occasional magazine too. When non weighing upwards the pros and cons of the latest smartwatch, yous'll probably find him tackling his ever-growing games backlog. Or, more likely, playing Spelunky for the millionth time.