(RightWing.org) – Tech giant Apple is scambling to fix a massive security hole in its latest web browser that has exposed millions of users’ internet activity to harvesting by websites.
A new unpatched flaw in #Apple Safari 15's implementation of the IndexedDB API could be exploited by online trackers to fingerprint users and track their online activities across websites.
— The Hacker News (@TheHackersNews) January 16, 2022
On January 14, internet security company FingerprintJS announced it had found a serious bug in Apple’s Safari 15 browser. The current version of the browser, released last September, “leaks” data on what websites a user has visited. A site they’re visiting can pull details of previous sites, and even see what they’re doing in other tabs. Worst of all, a site can extract the user’s Google user ID – and that can be used to find a lot of personal information.
FingerprintJS says Apple has violated a basic security protocol that prevents one browser tab from having access to data in other open tabs. The protocol was correctly implemented in earlier versions of Safari, but in Safari 15, the iPadOS 15 browser and all iOS browsers, it’s broken. Over 3% of the most popular websites contain tracking software that can exploit this leak.
Apple engineers started working on a fix by January 16 and say they’ve resolved the issue – but the fix hasn’t been released to users yet. Until that happens, Safari 15 users remain vulnerable.
Copyright 2022, RightWing.org