Apple is fixing a bug in Safari that can extract your recent browsing history

Last week, a bug in WebKit was revealed that hackers could exploit through a JavaScript API called IndexedDB. Browser fingerprinting service FingerprintJS says the bug can reveal your recent browsing history and even your identity.

According to a WebKit commit on GitHub, Apple has since prepared a fix for the bug, but the fix won’t be available to users until Apple releases updated versions of Safari for macOS Monterey, iOS 15, and iPad OS 15. Apple declined to comment when asked for a time frame for releasing the fix to the public.

join us on telegram

The vulnerability allows any website that uses IndexedDB for client-side data storage to access the name of the IndexedDB database generated by other websites during a user’s browsing session. This bug could allow a website to track other websites a user visits in different tabs or windows because database names tend to be unique to each website, and sometimes database names contain user-specific identifiers that could reveal the user’s identity.

FingerprintJS has a live demo of this bug affecting newer versions of browsers that use Apple’s open-source browser engine WebKit, including Safari 15 for MacOS and Safari for all versions of iOS 15/iPadOS 15. The bug also affects third-party browsers like Chrome and Edge on iOS 15 and iPadOS 15, as Apple requires all iPhone and iPad browsers to use WebKit.

Leave a Comment