Safari bug lets sites track you in real time

Apple devices in their latest software version may have their navigation tracked by certain sites following a bug.

Privacy and data collection are sensitive topics, and most web users wouldn’t want to be monitored, let alone in real time. However, this may already be your case if you have an Apple device. Indeed, according to FingerprintJS, users of products under macOS Monterey, iOS 15 or iPad 15 are subject to a bug that makes their navigation visible by certain sites.

This is due to a flaw in IndexedDB, an embedded database in the Safari browser. This is normally used by certain websites to collect data from the same identifier in order to offer you personalized navigation. For example, when you connect to a site with your Google ID, then the site retrieves your user name and your profile photo from the corresponding database.

Real-time tracking

However, the sites are not supposed to access the databases of other sites, in order to protect your personal data as much as possible. However, this seems to be the case in the latest version of Safari.

Each time a website interacts with a database, a new (empty) database with the same name is created. Windows and tabs generally share the same session unless you switch to a different profile or open a private window. For the sake of clarity, we will refer to newly created databases as “cross dual-origin databases” in the rest of the article.

The fact that database names are leaking between different origins is a clear breach of privacy. It allows arbitrary websites to know which sites the user is visiting in different tabs or windows. Additionally, we have observed that in some cases, websites use user-specific unique identifiers in database names. This means that authenticated users can be uniquely and accurately identified. »

In other words, the sites using this same database can therefore know which sites you have visited, or which you are visiting at this very moment. All this allows you to track your navigation in real time., a very clear violation of user privacy. But then, what to do to protect against this bug, until it is resolved?

How to protect yourself while waiting for the Safari update?

The author of the article states thatthere are few things you can do. In some cases, this bug is also present even in private browsing on Safari. However, there are a few barrier options, both useful and annoying. One of them is to block all JavaScript by default and only allow it on trusted sites.

The other option, unfortunately only valid on Mac, is to change browsers. On iPhone, this would be a failure since all browsers are affected by the bug. So remember to check the availability of updates to solve this problem definitively.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *