Track apps

Safari bug allows websites to track browsing activity and unique identifiers

Researchers have discovered a bug in Apple’s Safari browser that allows websites to track a user’s browsing activities on other sites.

The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user’s unique identifier for certain websites to other sites they visit.

The flaw, found in Apple’s WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It resides in WebKit’s implementation of the indexed database API, commonly known as IndexedDB , a JavaScript API that browsers use to access a database of objects, and it frequently stores data generated when interacting with a web application. This includes a user’s unique identifier for interacting with web applications, such as their Google ID.

When implemented correctly, IndexedDB follows the co-origin principle. This ensures that information stored from a webpage is only available to webpages in the same domain. It prevents curious web pages from accessing another domain’s stored information, which could include sensitive user or session data.

FingerprintJS found that WebKit’s IndexedDB implementation violates the same-origin principle, instead making stored information available to websites in other domains.

FingerprintJS called the bug a privacy breach. “It allows arbitrary websites to learn which websites the user visits in different tabs or windows,” the company said in its To analyse of the bug. “This is possible because database names are usually unique and website-specific.”

Related Resource

Bridging the DevSecOps Gap: Spotlight on Key Relationships

The importance of the relationship between security and development

Free download

The company has found some websites using user-specific IndexedDB data, such as ID numbers in their IndexedDB database names, which makes it easy for any other website to find the ID of a user on other sites. Using this ID to search user assets (such as profile pictures) could lead to user identification, the company warned. Google websites store ID numbers this way, allowing other sites to harvest Google IDs using the bug.

The bug affects all browsers on iOS 15 because Apple mandates the use of WebKit on this platform in its guidelines for developers. Section 2.5.6 states that “applications that browse the web must use the appropriate WebKit framework and WebKit Javascript”.

FingerprintJS said it notified Apple of this bug on November 28, but Apple did not fix it. Apple engineers started creating a fix on Sunday, February 17, the day FingerprintJS released the bug details.

Featured Resources

How Virtual Desktop Infrastructure Enables Digital Transformation

Challenges and Benefits of VDI

Free download

Okta’s Digital Trust Index

Exploring the human side of trust

Free download

Optimizing Workload Placement in Your Hybrid Cloud

Deliver increased IT agility with the cloud

Free download

Modernize endpoint protection and leave legacy challenges behind

The risk of keeping your old endpoint security tools

Download now