Apple patches Safari bug that leaked user data

Safari Tech Preview logo on MacBook Pro in office
(Image credit: Apple)

Apple has pushed iOS 15.3 RC and macOS Monterey 12.2 RC to developers and beta users as part of a plan to fix a Safari flaw that leaked browsing history and some Google data.

This follows recent news that cybersecurity researchers from FingerprintJS had found a problem in an Apple API - IndexedDB, used to store data in the browser.

Safari 15 has a security measure that prevents malicious pages, opened in one tab, to read the data generated by websites opened in another tab. The researchers found that the API doesn’t follow this policy, and instead creates a new database with the same name in all other active frames, tabs, and windows, within the same browser session.

No wider release just yet

Describing the potential ways to leverage the flaw, researchers explained that a malicious page opened in one tab, could obtain data generated by the page in another. Furthermore, the flaw can be leveraged to obtain Google account data.

Google’s services (for example, YouTube) generate databases containing the unique Google User ID in their names. As these IDs are used to access public information, such as a profile picture, other sites could see it, as well. 

FingerprintJS has even created a dedicated website to demonstrate the bug in the wild. Now, as reported by 9to5Mac, testing for the flaw on devices updated to iOS 15.3 RC and macOS 12.2 RC has shown that the website no longer sees any data, and shows a user not being logged into their Google account. 

The researchers claimed that the flaw affected all iOS 15 and macOS Monterey versions, until this newest one. iOS 14, however, was not affected, nor were those still using Safari 14 on older versions of the Mac.

Apple is yet to set an official release date for these new versions of the operating system, but given that the Release Candidate version has already been shipped, it’s safe to assume that it won’t take too long.

  • You might also want to check out our list of the best firewalls right now

Via: 9to5Mac

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Someone checking their credit card details online.
Apple forced to patch iOS and macOS security flaw that could have leaked your private info
The Apple logo is seen with the iOS 18 operating system logo in the background on a mobile device
Apple fixes Passwords app security bug with new 18.2 update
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
An iPhone with a 10:30am alarm ringing next to an Apple Watch that displays the time as 12:42pm
Apple warns "extremely sophisticated attack" hits iPhones and iPads, so update now
An abstract image of a lock against a digital background, denoting cybersecurity.
Apple CPU security issue could let hackers steal user data from browsers
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
Latest in Security
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
AMD logo
Security flaw means AMD Zen CPUs can be "jailbroken"
Latest in News
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
Want to buy an RX 9070 or 9070 XT but fed up of the GPUs being out of stock? AMD promises that “more supply is coming ASAP”
iOS 18 Control Center
iOS 19: the 3 biggest rumors so far, and what I want to see
Doom: The Dark Ages
Doom: The Dark Ages' director confirms DLC is in the works and says the game won't end the way 2016's Doom begins: 'If we took it all the way to that point, then that would mean that we couldn't tell any more medieval stories'
DVDs in a pile
Warner Bros is replacing some DVDs that ‘rot’ and become unwatchable – but there’s a big catch that undermines the value of physical media
A costumed Matt Murdock smiles at someone off-camera in Netflix's Daredevil TV show
Daredevil: Born Again is Disney+'s biggest series of 2025 so far, but another Marvel TV show has performed even better