Apple patches Safari bug that leaked user data

Safari Tech Preview logo on MacBook Pro in office
(Image credit: Apple)

Apple has pushed iOS 15.3 RC and macOS Monterey 12.2 RC to developers and beta users as part of a plan to fix a Safari flaw that leaked browsing history and some Google data.

This follows recent news that cybersecurity researchers from FingerprintJS had found a problem in an Apple API - IndexedDB, used to store data in the browser.

Safari 15 has a security measure that prevents malicious pages, opened in one tab, to read the data generated by websites opened in another tab. The researchers found that the API doesn’t follow this policy, and instead creates a new database with the same name in all other active frames, tabs, and windows, within the same browser session.

No wider release just yet

Describing the potential ways to leverage the flaw, researchers explained that a malicious page opened in one tab, could obtain data generated by the page in another. Furthermore, the flaw can be leveraged to obtain Google account data.

Google’s services (for example, YouTube) generate databases containing the unique Google User ID in their names. As these IDs are used to access public information, such as a profile picture, other sites could see it, as well. 

FingerprintJS has even created a dedicated website to demonstrate the bug in the wild. Now, as reported by 9to5Mac, testing for the flaw on devices updated to iOS 15.3 RC and macOS 12.2 RC has shown that the website no longer sees any data, and shows a user not being logged into their Google account. 

The researchers claimed that the flaw affected all iOS 15 and macOS Monterey versions, until this newest one. iOS 14, however, was not affected, nor were those still using Safari 14 on older versions of the Mac.

Apple is yet to set an official release date for these new versions of the operating system, but given that the Release Candidate version has already been shipped, it’s safe to assume that it won’t take too long.

  • You might also want to check out our list of the best firewalls right now

Via: 9to5Mac

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.