Apple has prepared a fix for a Safari 15 bug that allows websites to view your browsing habits and Google account details. And, because it’s a bug in WebKit — Apple’s browser engine used by Safari and third-party apps in the App Store — it affects virtually all iOS and iPadOS browsers, including Chrome and Brave.
Unfortunately, Apple’s patch won’t be available until the company rolls out new macOS, iOS and iPadOS updates. There’s currently no word on when that might be. Apple is in the process of beta testing new software updates, but it may be too late for the fix to be implemented into those before they are made available to all.
Apple fixes big Safari leak
The bug, first discovered by FingerprintJS, stems from the way in which Safari 15 handles the IndexedDB API. Rather than keeping your databases protected, as it should, it leaves them exposed to almost any website.
From our previous report:
IndexedDB uses what’s called a “same-origin policy” — a security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins. In other words, the same-origin policy prevents one website from accessing data saved by another.
However, in Safari 15, a bug prevents the same-origin policy from working correctly. This gives websites access to the databases created by other sites, allowing them to view your browsing habits outside their walls
Apple has since confirmed via a WebKit commit on GitHub that it has developed a fix for this security vulnerability. But we don’t yet know when Cupertino will make it available.
Software updates required
It seems Apple must distribute the fix via system software updates for macOS, iOS and iPadOS rather than with a simple Safari update. Apple continues testing new software betas for its various platforms. However, it’s unlikely this fix will be implemented until the following versions.
We’ll update you as soon as we know more about Apple’s fix. It’s important to remember that if you’re still using Safari 14 or earlier, you’re not affected by this bug.