A bug in the Apple Safari web browser is allowing websites to access users' browsing history and other personal information. With the recent updates for iOS, Apple has been fixing many bugs and vulnerabilities. In Nov. 2021, Apple released the iOS 15.1 with SharePlay and ProRes Video for iPhone 13 Pro models. However, it was reported to contain two unpatched zero-day vulnerabilities, which were said to be actively exploited. Additionally, the public version of the update was said to be loaded with bugs, including connectivity issues with AirPods Pro and Unlock with Apple Watch feature.
The recent iOS 15.2.1 update also contains a fix to a HomeKit bug. As mentioned in the synopsis of the bug in Spiniolas's report, changing the name of a HomeKit device to a string containing many characters will lead to disruption of the device, leaving it unusable. However, since Apple has fixed the issue with its latest update, users are advised to update to the newest version of iOS.
FingerprintJS reports that Safari 15 on macOS and all browsers on iOS and iPadOS 15 are vulnerable to the bug. The IndexedDB API used in these web browsers does not adhere to the same-origin policy that prevents scripts or documents from one origin from accessing information from other sources. Due to the bug, every time a website interacts with the local database that stores information about the user and their browsing activity, an empty database with a similar name is created for all other tabs and windows active during the session. Accessing these "cross-origin-duplicated databases" a domain can get the information that violates users' privacy. In simple words, the bug allows websites to access the users' browsing information and history related to other websites on the Apple Safari web browser.
The Bug May Also Reveal Users' Google ID
Those using Apple devices such as an iPhone, iPad, or MacBook can try the live demonstration of bug here. This demonstration displays the violation of the IndexedDB same-origin policy in the browser engine used in Safari, WebKit. Visiting the demo page from a macOS device will display the number of database names (the number of active tabs in a browsing session) and a list of websites from users' recent browsing history. Unfortunately, that is not all. The bug also enables nefarious websites to access the Google ID that may be linked to the browser, which can reveal the user's identity and other personal details. Visiting the demo page from a Windows 10 or Windows 11 powered laptop clearly says "your browser is not affected" and does not display any websites or other details.
In further research, FingerprintJS found that more than 30 websites in Alexa's top 1000 most visited websites accessed the indexed databases without users' consent. Additionally, the Safari 15 private mode also appears to be affected by the bug. Moreover, there is not much that users can do to protect against the bug. Updating their initial report, FingerprintJS has also mentioned that Apple engineers began working on the bug Sunday, Jan. 16, 2022. However, the bug is still present on Safari 15 for macOS and all web browsers on iOS and iPadOS 15, and it will continue to do so in the absence of a fix released by Apple.
Source: FingerprintJS, Safari Leaks