Apple’s developers are reportedly working on a fix for a serious bug in Safari 15 that was reported at the end of last week.
According to a GitHub entry, an update for Safari that fixes the error described has already been prepared, although it hasn’t yet been rolled out to users.
The Safari fix will probably form part of imminent updates to iPadOS 15, iOS 15 and macOS Monterey, MacRumors reports. The beta version of Safari Technology Preview will probably be updated much earlier.
The previous versions of Safari on iOS 14 and Big Sur were not affected by the bug, so users of those browsers do not need to worry about the issue.
The original story
Here’s the original story as we reported it on 17 January:
A bug has been discovered in Safari 15 that could leak Mac, iPhone and iPad users’ browser activity, and make personal information associated with their Google accounts visible to others. FingerprintJS discovered the vulnerability, and reports that, among other things, visited web pages may become visible to unauthorised persons as a result.
The problem lies in the way Safari for Mac and iOS implements Indexed DB, an API that stores data in the browser.
Apple reportedly became aware of the problem back in late November, but has yet to take action. This is despite the fact that it represents a potentially serious privacy breach.
The leak
When you go to a website that uses a local database in a new tab, a new empty database with the same name is created in all other tabs and windows (except private ones).
Most sites that use these databases give the database a name that makes it obvious which site it is. The result is that all other open sites can theoretically see which site you’ve just opened. When you close the tab, these databases are deleted, but by then it’s already too late.
“The fact that database names leak across different origins is an obvious privacy violation,” explains FingerprintJS. “It lets arbitrary websites learn what websites the user visits in different tabs or windows.”
More serious issues with Google
Unfortunately, it doesn’t end there. Some sites also use unique names that can be linked to a specific user. Google is the biggest and worst example here. That’s because Google uses an internal user ID as its database name, which means that a site programmed to exploit the Safari bug will find out your Google account’s internal ID code.
As if that wasn’t enough, a database is also created for each Google account you’re logged into. For example, if you’re logged into a personal and a work account, the spying site will know about both and can hide the connection between them.
Our recommendation
Until Apple fixes the bug, we recommend that refrain from logging into Google in Safari. The bug is easy to exploit and is guaranteed to be used by unscrupulous developers to create databases of users’ unique Google IDs.
In fact, users who care about privacy might be best advised to only use new private windows for each page they visit, or until then use an alternative browser that also takes privacy seriously, such as Firefox or Brave.
We round up the best Mac browsers and the best iPhone browsers in separate articles.
This article originally appeared on Macworld Sweden. Additional reporting by David Price and Stephen Wiesend.