A critical vulnerability in Safari can be exploited to expose your browsing history as well as some of your Google Account data. The bug revealed by FingerprintJS
causes IndexedDB to violate the same-origin policy, exposing data it has collected to websites it didn't collect it from.
Detect cybercrime in minutes with APEX® ATD
Find out about proactive vulnerability management with APEX® Secure
How can your business get Cyber Essentials certified?
The same-origin policy is a rule enforced by web browsers, which controls access to data between websites and web applications. Simply put, a script from one webpage can only access data from another page if they have the same origin. Bypassing this security mechanism puts your data and privacy at risk.
"Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user," wrote FingerprintJS.
Who is affected by the Safari security flaw?
The issue affects all major Apple platforms - iOS 15, iPadOS 15 and macOS Monterey.
What can Mac users do to avoid the Safari vulnerability?
For Mac users, the easiest way to avoid the vulnerability is to switch from Safari to a different browser. For iOS or iPadOS this will unfortunately not solve the issue — Apple's requirement that all iOS and iPad web browsers use WebKit means the IndexedDB bug has impacted every browser on these systems.
Browsing in Safari's private mode can mitigate the potential damage only in some circumstances and is not a sure-fire solution to the vulnerability flaw.
How is Apple responding to the Safari security bug?
The company has acknowledged the issue and is now working on a fix which, as noted by MacRumors, will require Apple to release updated builds of iOS 15 and MacOS Monterey to include a new version of Safari. It's important that Mac users make the necessary system updates once the fix becomes widely available.