Apple is preparing new versions of iOS and macOS that include an important fix for a recently discovered flaw in WebKit, the web browser engine used by Safari and many other apps on the two operating systems.
On January 14, researchers from FingerprintJS made a worrying disclosure: a bug in Safari 15’s implementation of the IndexedDB API lets any website track the user’s browsing activity and even reveal their identity.
The team had discovered and reported the issue to the WebKit Bug Tracker on November 28, 2021. Seeing how Apple took too long to address it, they decided to go public and make sure users are at least aware of the flaw. This demo site lets people see the vulnerability in action.
“The demo illustrates how any website can learn a visitor's recent and current browsing activity (websites visited in different tabs or windows) using this leak,” according to Martin Bajanik, Software Engineer at FingerprintJS. “For visitors, logged into Google services, this demo can also leak Google User IDs and profile pictures.”
Apple engineers have since addressed the flaw in internal iOS and macOS builds. 9to5mac reports that the latest release candidates (RC) of iOS 15.3 and macOS Monterey 12.2 address the issue.
“When running the same tests on devices updated to iOS 15.3 RC and macOS 12.2 RC, the website shows no data and says that the user is not logged into a Google Account,” Filipe Espósito reports for the Apple-focused news site.
It’s important to note that users are still exposed as these updates have yet to be made public. In a typical development cycle at Apple, a release candidate (RC) build precedes a final release. Those final builds of iOS 15.3 and macOS 12.2 should arrive relatively soon.
macOS users, however, have a decent workaround – set Safari aside and use a different browser until Apple delivers the fix. Notably, Safari 14 is unaffected, so Mac users on older macOS versions and Safari 14 or older are safe.