In November 2021, reports of a Safari bug that endangers user privacy cropped up online. Affecting Safari users across multiple devices, the Safari 15 IndexedDB bug allows websites to access database information that they are not supposed to.
In essence, this means websites you visit on Safari can see which other websites you’ve been visiting as well. We’ll explain what you can do to stop it below.
What Does This Safari 15 Bug Do?
Based on reports from FingerprintJS, the IndexedDB API violates the same-origin policy in Safari 15 on iPhones, iPads, and Macs. With this vulnerability, websites that Safari users visit can also view other opened websites on its tabs or windows.
Aside from this, the bug also reveals the names of databases for any domain, which hackers can use to extract identifying information for you. Although access to the actual content of each database remains restricted, data scraping using this vulnerability can still cause potential concerns.
FingerprintJS notes that hackers could target users by obtaining their browser info through their Google user ID. By using sites like YouTube, Google Calendar, and so on, Safari users are in danger of revealing their public information to other websites without giving consent.
In addition, the vulnerability also allows websites to piece together unrelated accounts under your online profile. For people looking to decentralize their online identity, this can be troublesome.
If you’re keen to try it for yourself, FingerprintJS also released a live demo, which simulates how the vulnerability works with 30 commonly visited websites.
In the demo, Safari users can see how many databases are leaking from their browser based on the websites they have visited. If possible, the demo will also reveal your unique Google user ID and profile photo.
As of January 2022, Apple engineers have started working on resolving the issue, as shown on GitHub. Ideally, Safari will be able to limit websites from seeing the databases created by the same domain name as its own. As of writing, all current versions of Safari on iPhone, iPad, and Mac are experiencing the bug.
What Can You Do to Protect Yourself From the Safari 15 Bug?
In the meantime, Safari users can make use of potential workarounds while the vulnerability continues to persist. Until Apple can resolve its Safari issues with an update, there are only a few things that Safari users can do to protect themselves:
Remove Publicly Available Information
Because the Safari 15 bug actively exploits databases, it makes sense to reduce access to data it can gather. So, while you cannot make your Google ID disappear, you can make it possible for less information to be associated with it. For example, you can remove your Google profile photo and change the name on your Google account temporarily.
Work on Decentralizing Your Personal Data
While the new bug can associate separate online accounts in Safari, it is possible to make it more difficult for hackers to pull useful data from them. To accomplish this, it is best to actively decentralize your personal data, which you can do by creating multiple email addresses, avoiding single-sign on services, and so on.
Avoid Unnecessary Browsing
Until Apple resolves the Safari 15 bug, you may want to spend less time on random websites that you don’t necessarily trust with your data. In fact, there’s also no guarantee that more reputable websites also won’t try to exploit this vulnerability. For this reason, you may want to use your iPhone’s Screen Time feature to keep you offline for longer.
Use a Different Browser
If all else fails, you may want to consider trying a different browser instead. In fact, there are plenty of alternative browsers that offer great privacy options.
Give Safari a Break
For browser data to be exploited, end users don’t even have to do anything except leave a Safari tab or window open. Unfortunately, the Safari 15 bug also affects Safari’s Private Browsing mode, so that’s not a perfect solution either.
However, there are other little things that you can do to keep your browsing safe and secure. You can also follow Apple and related trending topics on social media to learn when the developers resolve the issue.
Worried about big companies storing your personal details? Here’s why decentralization isn’t just for big businesses.
About The Author