Apple prepares fix for Safari bug that exposes user data


Safari 15.1 design
But we don't yet know when we'll get it.
Screenshot: Cult of Mac

Apple has prepared a fix for a Safari 15 bug that allows websites to view your browsing habits and Google account details. And, because it’s a bug in WebKit — Apple’s browser engine used by Safari and third-party apps in the App Store — it affects virtually all iOS and iPadOS browsers, including Chrome and Brave.

Unfortunately, Apple’s patch won’t be available until the company rolls out new macOS, iOS and iPadOS updates. There’s currently no word on when that might be. Apple is in the process of beta testing new software updates, but it may be too late for the fix to be implemented into those before they are made available to all.

Apple fixes big Safari leak

The bug, first discovered by FingerprintJS, stems from the way in which Safari 15 handles the IndexedDB API. Rather than keeping your databases protected, as it should, it leaves them exposed to almost any website.

From our previous report:

IndexedDB uses what’s called a “same-origin policy” — a security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins. In other words, the same-origin policy prevents one website from accessing data saved by another.

However, in Safari 15, a bug prevents the same-origin policy from working correctly. This gives websites access to the databases created by other sites, allowing them to view your browsing habits outside their walls

Apple has since confirmed via a WebKit commit on GitHub that it has developed a fix for this security vulnerability. But we don’t yet know when Cupertino will make it available.

Software updates required

It seems Apple must distribute the fix via system software updates for macOS, iOS and iPadOS rather than with a simple Safari update. Apple continues testing new software betas for its various platforms. However, it’s unlikely this fix will be implemented until the following versions.

The only thing you can do to avoid the problem in the meantime is to use another web browser. Disabling JavaScript can reduce the amount of data Safari leaks. However, that’s not completely foolproof. And switching off JavaScript will stop certain websites from loading correctly inside Safari.

We’ll update you as soon as we know more about Apple’s fix. It’s important to remember that if you’re still using Safari 14 or earlier, you’re not affected by this bug.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.