Safari Bug Allows Websites to Track Your Recent Browsing Activity in Real Time [Updated]

A bug in WebKit's implementation of a JavaScript API called IndexedDB can reveal your recent browsing history and even your identity, according to a blog post shared on Friday by browser fingerprinting service FingerprintJS.

safari icon blue banner
In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user's browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often unique and specific to each website. The correct and normal behavior should be that websites can only access their own IndexedDB databases.

In some cases, websites use unique user-specific identifiers in IndexedDB database names. For example, YouTube creates databases that include a user's authenticated Google User ID in the name, and this identifier can be used with Google APIs to fetch personal information about the user, such as a profile picture, according to FingerprintJS. This personal information could help a malicious actor to determine a user's identity.

The bug affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers to use WebKit on the iPhone and iPad. FingerprintJS has a live demo of the bug that indicates older browsers like Safari 14 for Mac are unaffected.


FingerprintJS noted that no user action is required for a website to access IndexedDB database names generated by other websites.

"A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time," the blog post said. "Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site."

Private browsing mode does not protect against the bug in affected Safari versions.

Users will need to wait for Apple to address the bug with software updates — we've reached out to Apple to see if a fix is planned. In the meantime, Safari 15 users could temporary switch to a different browser on the Mac, but this is not possible on the iPhone or iPad since all browsers are affected by the WebKit bug on those devices.

The bug was reported to the WebKit Bug Tracker on November 28. More details can be found in FingerprintJS's blog post, reported earlier by 9to5Mac.

Update: Apple has prepared a fix for the bug, according to a WebKit commit on GitHub, but Apple still needs to release macOS and iOS updates with an updated version of Safari before the fix is available to users. Apple declined to provide a timeframe.

Tag: Safari

Popular Stories

M4 Mac mini Ortho Silver Cooler

Amazon Leaks Smaller Mac Mini With M4 and M4 Pro Chips, Two Front USB-C Ports, Up to 64GB of RAM, and More

Monday October 28, 2024 7:16 pm PDT by
Amazon has seemingly leaked the rumored next-generation Mac mini ahead of Apple's announcement this week, revealing several details. Our concept of a smaller Mac mini According to a comparison chart on Amazon's product listing for the new iMac, the new Mac mini will be available with M4 and M4 Pro chip options, with up to a 14-core CPU and up to a 20-core GPU. In addition, the chart indicates ...
maxresdefault

Apple Announces Redesigned Mac Mini With M4 and M4 Pro Chips, Two Front USB-C Ports, and More

Tuesday October 29, 2024 8:01 am PDT by
Apple today announced fully redesigned Mac mini models featuring the M4 and M4 Pro chips, a considerably smaller casing, two front-facing USB-C ports, Thunderbolt 5 connectivity, and more. Subscribe to the MacRumors YouTube channel for more videos. The product refresh marks the first time the Mac mini has been redesigned in over a decade. The enclosure now measures just five by five inches...
Apple MacBook Pro M4 Cinema 4D Slack Finder Xcode 1

Apple Announces MacBook Pro Models With M4 Pro and M4 Max Chips, Thunderbolt 5 Support, and More

Wednesday October 30, 2024 8:01 am PDT by
Apple today announced new 14-inch and 16-inch MacBook Pro models featuring M4 Pro and M4 Max chips, alongside a new entry-level 14-inch MacBook Pro powered by the M4 chip. Subscribe to the MacRumors YouTube channel for more videos. The new M4 Pro and M4 Max machines come with a minimum of 24GB of Unified Memory as standard, up from 18GB in the previous models. Both models feature three...
m3 macbook air blue

Apple Announces MacBook Air Now Starts With Increased 16GB of RAM With No Price Increase

Wednesday October 30, 2024 8:04 am PDT by
Apple today in its new MacBook Pro press release announced that the MacBook Air lineup now starts with 16GB of RAM, up from 8GB previously. This change applies to the 13-inch model with the M2 chip, the 13-inch model with the M3 chip, and the 15-inch model with the M3 chip. In the U.S., the MacBook Air lineup continues to start at $999, so there is no price increase associated with the...
m3 mbp space black

Apple Leaks M4 Max Chip Icon Ahead of Announcing New MacBook Pros

Tuesday October 29, 2024 8:48 am PDT by
Oops! Eagle-eyed developer Charlie Joseph today discovered that Apple has leaked its upcoming high-end M4 Max chip through an image uploaded to its website. The discovery was shared with Bloomberg's Mark Gurman on social media. It was already pretty obvious that Apple plans to announce new 14-inch and 16-inch MacBook Pro models with M4, M4 Pro, and M4 Max chips this week, after Apple promised...
iOS 18

iOS 18.1: What You Get If You Don't Have an iPhone With Apple Intelligence

Monday October 28, 2024 3:49 pm PDT by
iOS 18.1 is the first iOS 18 update with Apple Intelligence capabilities, and that's what a lot of the coverage about the new software has focused on. If you don't have an iPhone that's capable of Apple Intelligence, you're probably wondering just what's in the update for you. While Apple Intelligence does make up the bulk of what's new, if you have an older device, you still get some solid...
watchOS 11 Thumb 2 1

Apple Releases watchOS 11.1

Monday October 28, 2024 8:05 am PDT by
Apple today released watchOS 11.1, the first major update to the operating system that runs on the Apple Watch. watchOS 11.1 comes one month after Apple released watchOS 11. watchOS 11.1 is compatible with the Apple Watch Series 6 and later, all Apple Watch Ultra models, and the Apple Watch SE 2. watchOS 11.1 can be downloaded on an iPhone running iOS 18.1 by opening up the Apple Watch app...

Top Rated Comments

LoveTo Avatar
37 months ago
I feel like I should just burn all my gadgets and go live in the mountains. ?
Score: 64 Votes (Like | Disagree)
planteater Avatar
37 months ago
Reported on November 28. That was a long time ago to have such a serious bug unpatched. I'd like to hear Apples response.
Score: 33 Votes (Like | Disagree)
antiprotest Avatar
37 months ago

I feel like I should just burn all my gadgets and go live in the mountains. ?
Then you will have no way to know if someone put an AirTag on you.
Score: 26 Votes (Like | Disagree)
nadozza Avatar
37 months ago

Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.
What does this have to do with Monterey? It’s a bug in WebKit. One they should have dealt with by now, but it’s not Monterey or MacOS specific.
Score: 25 Votes (Like | Disagree)
citysnaps Avatar
37 months ago

Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.
Please...don't say stuff like that when I'm drinking milk. Not pretty.
Score: 23 Votes (Like | Disagree)
Celtic-moniker Avatar
37 months ago

Swell. add that to the huge bug list in Monterey.

Meanwhile Microsoft fixes bugs, adds new features on a week by week basis.
Microsoft fixes bugs and adds features? I think you meant Linux.
Score: 16 Votes (Like | Disagree)