A new bug in Apple’s Safari browser leaves your data open to theft

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

UPDATE 1/27/2022 10:03 AM ET: This vulnerability has now been patched thanks to a recent iOS 15.3 update. More info here.

There’s a new bug in Apple’s Safari web browser that leaves your data vulnerable to exposure. The bug is deep within the company’s WebKit browser development engine and it means that virtually anyone can gain access to your browser history and even some personal information.

Initially discovered by FingerprintJS, the new bug showed up in Safari 15 and involves the Indexed Database API (IndexedDB). IndexedDB essentially stores data on certain websites directly on your device so that the sites might load faster in the future.

The problem arises around the concept of the same-origin policy. The same-origin policy is a security measure that doesn’t allow websites to freely interact with each other using APIs like IndexedDB.

READ MORE: Safari is now used by over a billion people

The problem is due to the introduction of a new bug that violates the same-origin policy using IndexedDB. The bug causes the API to expose all of the data that it has collected to any website that users visit.

For Mac users, you can avoid the potential for danger by just switching to a different browser. But Apple mobile device users are out of luck, as the company requires that all browsers on its mobile devices use WebKit, which opens them up to the IndexedDB bug.

FingerprintJS notes that sites like Google utilize a unique User ID for all account databases that it collects. Using those unique IDs that can now be identified through this new browser bug, malicious websites can learn the identity of certain users, making it much easier to exploit them in some way.

This bug was initially discovered and reported to WebKit back in November. As of now, Apple has closed the support ticket and marked the issue as resolved with a list of potential fixes. But FingerprintJS says that “the bug continues to persist for end users until these changes are released.”

UPDATE 1/27/2022 10:03 AM ET: This vulnerability has now been patched thanks to a recent iOS 15.3 update. More info here.

Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Apple CarKey might finally make its way into more cars
• Apple says everyone is wrong about iCloud Private Relay being blocked
• Sleep vs. shutdown: what’s better for your Mac?
• Google desperately wants Apple to let them into iMessage by adding RCS support