The recent findings show that Safari 15 can leak your real-time browsing activity, and even reveal your identity. This Safari 15 bug originates from an issue with IndexedDB, which is an API that stores data on your browser. IndexedDB is an API that is designed to store different types of data. It is supported in many browsers and it is used very often.
IndexedDB is a low-level API, and that is why developers use it to apply wrappers in order to create a more developer-friendly API. This API is following the same-origin policy which is a security mechanism that restricts how scripts or documents that are loaded from one origin can interact with things from another origin. Usually, an origin is represented by the domain, protocol, and the adequate port of the URL.
In the case of Apple browser Safari 15, we have a situation where the same-origin policy is violated by the IndexedDB API. When a website interacts with a database, there is another database that is created. It contains all active tags, frames, and windows. If you do not switch to a different profile, which is possible in Chrome, your data will be unprotected in Safari 15.
This situation is a privacy violation because database information can leak from one source to another. Arbitrary websites can learn what websites you visit in different windows and tabs. This happens because database information is usually website-specific and unique. In some cases, websites use identifiers in database information pieces, which can lead to the users whose personal information can be revealed.
Some popular information of the users can be Google Analytics user ID, Google Keep ID, YouTube ID, and many others. All this information and data are violated, and databases are created for the mentioned accounts.
Google generates an internal identifier in the form of a Google User ID, and this identifier represents a single Google account. This account is usually used with Google APIs to carry the information about the owner of the account. There are many information pieces that are exposed with these APIs, and one of the most common details is the user profile picture.
Malicious and untrusted websites can reveal the user’s identity, and this could be a huge problem when it comes to security concerns.
These API programming leaks do not depend on the user’s activity. They do not depend on any specific action. A window or a tab that runs in the background can find out what websites the user visits in real-time.
Many people wonder if a private mode protects against the leak. The answer is simple. A private mode in Safari 15 does not protect from the leak. If we know that browning in private mode is restricted to a single tab, the information that is available via the leak is restricted. However, when you visit multiple websites in the same tab, the information pieces that interact with these websites are leaked.
In order to protect yourself from this situation, you should take drastic measures. There is not much to do if you are an iPadOS or iOS user, but you can still protect yourself from the leaks. One of the solutions is to block JavaScript by default and to allow it only on the trusted websites that you consider safe. This will make the browsing sessions more restricted and inconvenient, and this is not a perfect solution for most users.
Another option is to choose a different browser and avoid Safari 15. If you are using iOS or iPadOS, this is also not useful, because all the browsers are affected. One of the best solutions is to wait for Apple to resolve this issue and update your browser and OS to avoid this problem.