A bug in Safari allows other websites to track your recent browsing activity

FingerprintJS, a browser fingerprinting and fraud detection service, has discovered a bug in Safari 15 that could leak your browsing activity to other websites.

This issue is caused by Safari's implementation of IndexedDB, an API that stores data on your browser. IndexedDB abides by something called the "same-origin policy."

Essentially, it means only the website that generates the data can access it. This makes sense and it means that even if you open a malicious webpage in one tab, it doesn't immediately have access to data in other tabs.

[embed]https://www.youtube.com/watch?v=Z7dPeGpCl8s[/embed]

The problem with Safari is that it violates this policy. Whenever Safari interacts with a website and a database, " a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session."

This practice allows other websites to see the name of other databases and therefore your recent browsing activity. Furthermore, these databases often contain details that can be used to identify the user, such as your unique Google ID.

FingerprintJS created a proof-of-concept demo on this page which you can try if you are running Safari 15 and above on your Mac, iPhone, and iPad. It shows how sites can exploit the bug and scrape information from your browsing activity.

What can I do?

Neither Apple nor WebKit has commented on this issue, but it's reasonable to expect them to issue an update to patch this bug soon.

In the meantime, Mac users can consider switching to another browser. iOS users, unfortunately, have no way around this since Apple bans third-party browser engines on iOS.

This article was first published in Hardware Zone.