Safari bug lets websites track browsing activity and unique identifiers

A mouse hovering over the Safari logo on a MacBook
(Image credit: Shutterstock)

Researchers have found a bug in Apple's Safari browser that allows websites to track a user's browsing activities across other sites.

The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user's unique ID for some websites to other sites that they visit.

The flaw, found in Apple's WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It lies in WebKit's implementation of the Indexed Database API, commonly called IndexedDB, a JavaScript API that browsers use to access a database of objects, and it frequently stores data generated while interacting with a web application. This includes a user's unique ID for interacting with web applications, such as their Google ID.

When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain's stored information, which could include sensitive user or session data.

RELATED RESOURCE

Bridging the DevSecOps divide: Spotlight on key relationships

The importance of relationships between security and development

FREE DOWNLOAD

FingerprintJS found that WebKit's IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.

FingerprintJS called the bug a privacy violation. "It lets arbitrary websites learn what websites the user visits in different tabs or windows," the company said in its analysis of the bug. "This is possible because database names are typically unique and website-specific."

The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user's ID on other sites. Using this ID to look up the user's assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.

The bug affects all browsers on iOS 15 because Apple mandates the use of WebKit on this platform in its developer guidelines. Section 2.5.6 says "Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript."

FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple's engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.