On Friday, a report from FingerprintJS revealed a Safari 15 IndexedDB bug that can leak your internet activity to any website. Apple engineers began working on a fix as of yesterday but so far the bug is still present.
Safari 15 IndexedDB Bug
IndexedDB, or Indexed Database, is an API that allows browsers to store large amounts of structured data on a device. It’s found within all major browsers. It follows something called a “same-origin policy,” which is a security feature that restricts how documents or scripts loaded from one origin can interact with resources from other origins. The team created a video that explains:
But Safari 15 is violating the same-origin policy. Every time a website interacts with a database, a new empty database with the same name is created in other tabs and windows during the browsing session. This means that other websites can see the name of this database, which could contain identifying information.
For example, Google services such as YouTube, Google Calendar, and Google Keep create databases that include your Google ID. If a user is logged into multiple accounts, databases are created for each one. FingerprintJS says “Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user.”
It’s easy to avoid the Safari 15 IndexedDB bug on the Mac because you can simply use a different browser. However, since Apple forces all iOS and iPadOS browsers to use its WebKit browser engine, all third-party browsers also contain the bug on these mobile platforms.
Additionally, FingerprintJS says that the bug is still present in private browsing mode, although this mode can contain data leakage a bit. However, if you visit multiple different websites within the same tab, all databases these websites interact with are leaked to all subsequently visited websites.