Martin Bajanik, a software engineer at the browser fingerprinting-as-a-service platform FingerprintJS, recently shared details on a bug in Safari 15 that can potentially leak users’ browsing activity to all of the websites open in the various browser frames, windows, and tabs in a single browsing session.
IndexedDB is a browser API for client-side storage designed to hold significant amounts of data. The low-level API is supported in all major browsers and used by a significant percentage of websites.
The IndexedDB API, like most modern web browser technologies, uses the same-origin policy to make sure that a visited website only has access to its own data from the user’s browsing activity and not data from any other websites.
“In Safari 15 on macOS and all browsers on iOS and iPadOS 15, this policy is being violated as a result of a bug in WebKit’s IndexedDB implementation,” said Bajanik in his explanation video.
This makes it so any website that uses IndexedDB can gain access to what websites the user visits in different tabs or windows in the same browsing session, essentially leaking the entirety of a user’s browser activity to the websites they visit.
This is an obvious violation of user privacy, much like third-party tracking on mobile apps, which Apple deployed the App Tracking Transparency framework in iOS 14.5 to fight against and give users more control over.
As for how many websites actually use the IndexedDB API, Bajanik found that more than 30 websites out of Alexa’s top 1,000 most visited websites interact with indexed databases directly on their homepage, without any additional user interaction.
“We suspect this number to be significantly higher in real-world scenarios as websites can interact with databases on subpages, after specific user actions, or on authenticated parts of the page,” Bajanik warned in his blog post.
The potential leak even affects Private Mode browsing in Safari. Users can, however, minimize the amount of data available through the breach by restricting all of their browsing activity on Safari 15 and iPhone/iPad to a single tab every time. It may not be the most elegant solution, but it will ensure your private data remains private.
Mac users can shield themselves from the dangers of this bug by using any internet browser other than Safari, such as a non-WebKit-based browser. Unfortunately, iPhone and iPad users don’t have that luxury, since Apple requires browsers on iOS and iPadOS to use WebKit; until then, users will have to wait on Apple to patch the vulnerability.