Apple Safari bug reveals users' internet activity and identities

Apple's Safari web browser version 15 introduced a privacy-busting bug that can be abused to learn what sites users visit, and reveal their unique user identification data.

Software engineer Martin Bajanik discovered that Apple's implementation of the IndexedDB application programming interface violates a fundamental security mechanism in browsers, the same-origin policy.

The same-origin policy restricts documents and scripts running in browsers from interacting with resources hosted on other domains.

IndexedDB should adhere to the same-origin policy, but Bajanik found that it's possible to leak database names across multiple origins, in different browser windows and tabs.

"This means that authenticated users can be uniquely and precisely identified. Some popular examples would be YouTube, Google Calendar, or Google Keep.

"All of these websites create databases that include the authenticated Google User ID and in case the user is logged into multiple accounts, databases are created for all these accounts," Bajanik wrote.

iTnews was able to confirm that the bug exists, by going to Bajanik's SafariLeaks website that revealed Google user identification numbers.

No user action is required, and many popular websites interact with the IndexedDB API directly on their home pages. 

Using Safari's Private Mode incognito browsing does not protect against the bug, Bajanik said.

Even though browsers such as Google Chrome and Mozilla Firefox are not affected on desktop operating systems, on Apple's iOS and iPadOS they must use the WebKit rendering engine and are therefore vulnerable.

Until Apple fixes the bug, the only workaround for users is to disable all Javascript by default, and only allow it to run on known, trusted sites.