Apple Safari browser has a bug in its WebKit service

iPhone and Mac users love Apple’s Safari browser because it’s quick and easy to use. However, you may want to put it on hold for a while. Several websites, including those owned by hackers, may be able to access the browsing history and personal information of Safari users because of a new security issue discovered in the browser. This means that Safari should not be used until a patch is available from Apple.

Safari’s version 15 includes a fault in its implementation of the IndexedDB API that allows any website to follow a user’s internet behaviour and discloses their identity to anybody who has access to the database. A user’s browsing history can be accessed by any website that utilises the IndexedDB service to access other websites’ names and information contained in the IndexedDB databases. WebKit’s version of the JavaScript API, IndexedDB, is used by practically all browsers on iOS, iPadOS and macOS.

With this problem, websites that store information about browsing sessions using Safari’s IndexedDB service are essentially granted access to other websites that save information about their own browsing sessions using the same IndexedDB service. And this is worrisome since your data may be exploited in a variety of ways by anybody who has access to it. This data is a gold mine for social media giants like Facebook, but hackers may steal it all if they infect the site with malicious code and use it to target unsuspecting users.

During a surfing session, the data is exposed, so a website may get information from all the websites you browse in separate tabs or windows. This, however, should not occur because each website’s IndexedDB data during a browsing session should be unique. IndexedDB should be accessible to websites in an ideal case. As you can see, the issue exposes the databases of all websites to the scrutiny of other websites. This is bad.

If a background tab or window continuously requests the IndexedDB API for accessing databases, it is possible to discover in real-time what other websites a user visits. “Alternatively, websites can cause an IndexedDB-based leak for a specific site by opening any other website in an iframe or popup window.”

IndexedDB database names on certain websites, like YouTube, include user-specific identifiers that are unique to the individual. When a user authenticates their Google account, YouTube generates a database with that information in the name. Information about the user from other websites, such as their profile photo, can be accessed using this Google ID and other Google APIs. Hackers might use or sell this information for criminal purposes if it reaches their hands, which is not an easy thing to achieve under the best of circumstances.

For Mac users, the problem affects Safari 15; for iPhone and iPad users, it affects all Safari versions running iOS 15 and iPadOS 15. Furthermore, the Chrome browser on iOS 15 and iPadOS 15 is also affected. Why? Because both Safari and Chrome employ Apple’s open source WebKit browser engine, the flaw affects them both. There is no benefit to using Private Mode or Incognito Mode.

You should use a different browser on your Mac until Apple acknowledges the problem and releases a patch. Because all browsers on iPhones and iPads utilise WebKit, which contains the problem, there isn’t much of an alternative for those with those devices.

Founder and Chief Editor of Network Herald. A passionate Blogger, Content Writer from Mumbai. Loves to cover every current affair in terms of technology. He writes about the how-to guides, tips and tricks, top list articles.

Related Articles

Leave A Reply

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Stay Connected