Safari 15 bug leaks your iPhone and Mac browsing activity as you work - Macworld

cicingwos.blogspot.com

Update 1/19: Apple is working on a fix, according to a Github post.

Just days after Apple patched a bug that could allow a hacker to send your iPhone into an endless loop of crashes, FingerprintJS has uncovered a Safari vulnerability that could expose your internet activity and personal data to an open website.

The bug originates in the IndexedDB API, which is used for client-side storage of significant amounts of structured data, according to Mozilla. As FingerprintJS explains, since IndexedDB is a low-level API used by all major browsers, many developers “choose to use wrappers that abstract most of the technicalities and provide an easier-to-use, more developer-friendly API.”

As such, Safari’s version of IndexedDB is violating the same-origin security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins, according to FingerprintJS. Consequently, arbitrary websites could spy on the other websites a user visits in different tabs or windows.

This is a huge bug. On OSX, Safari users can (temporarily) switch to another browser to avoid their data leaking across origins. iOS users have no such choice, because Apple imposes a ban on other browser engines. https://t.co/aXdhDVIjTT

— Jake Archibald (@jaffathecake) January 16, 2022

Since some websites use unique user-specific identifiers in database names, FingerprintJS explains that authenticated users can be “uniquely and precisely identified” by sites such as YouTube, Google Calendar, and Google Keep. And since you’ll be logged in to those sites using your Google ID, the databases created for that account could be leaked, which include personal information. FingerprintJS uncovered several other sites vulnerable to the bug, including Twitter and Bloomberg.

According to a Webkit post on Github (spotted by 9to5Mac), Apple is aware of the issue and working on a fix.

You can see the bug in action using a demo created by FingerprintJS. The only known mitigation is to change browsers on macOS. iOS and iPadOS users have fewer options due to Apple’s handling of browser engines, though FingerprintJS notes that users could block all JavaScript by default and only allow it on trusted sites. That, or just wait for an update to arrive. Apple is currently preparing iOS 15.3 and macOS 12.2 for release, but it’s unclear if it includes a Safari fix.

Michael Simon has been covering Apple since the iPod was the iWalk. His obsession with technology goes back to his first PC—the IBM Thinkpad with the lift-up keyboard for swapping out the drive. He's still waiting for that to come back in style tbh.

Adblock test (Why?)

"activity" - Google News
January 17, 2022 at 05:52PM
https://ift.tt/3FEoQgS

Safari 15 bug leaks your iPhone and Mac browsing activity as you work - Macworld
"activity" - Google News
https://ift.tt/3ddCXMh
https://ift.tt/2WkO13c

Bagikan Berita Ini