Apple’s newly updated Safari 15 comes with a vulnerability that cybercriminals can exploit. After the launch of Apple’s Safari 15, a fraud detection API, named FingerprintJS, exposed the bug attached to Apple’s browser and how it threatens the privacy of end-users.
For starters, anyone can use the bug to obtain vital details on the end-users, like their detailed browsing history and Google account details. Sadly, the bug hasn’t been fixed. Here’s how the bug got into the update in the first place.
The bug latched onto Apple’s Safari browser through the indexed database (Indexed DB) API. The Indexed DB is part of Apple’s web development kit.
Think of the Indexed DB as a memory that saves your details and history, so you can access some sites faster the next time you visit them.
Usually, the API follows strict security protocols, known as a same-origin policy, which prohibits Safari from exposing user data to other websites.
However, with the advent of this bug, they’ve violated the same-policy security measures, and here’s how. Before the bug latched onto Safari, here’s how it worked.
When you log into your Google account for personal business and create another web page to access a malicious site, the malicious site can’t see what you’re doing.
It can’t access your Google account on the other webpage. But since the inception of the bug on Safari, the other websites you interact with can now pry into your browsing history.
They can now harvest your data, like the sites you visited, your activities on the site, who you sent a Gmail to, and your Google account details. Generally, anyone who knows how to exploit the bug can obtain your Google ID and track your activities,as long as you browse with Safari 15.
It gets scary, as your Google ID is unique to you. Also, your Google ID links to your Google account, where all your data exists. But browsing on Safari 15 exposes you to threats.
Anyone who can use the bug to their advantage can do anything with your data.FingerprintJS created a demo that any Safari 15 and Apple product end-user can access to confirm its claim.
The demo walks end-users through the process of how anyone who can exploit the Safari 15 vulnerability, can acquire your data. This demo identifies up to 30 websites that are victims of the bug, including Netflix and Xbox.
Here’s the kicker; private browsing mode on Safari can’t save you from the bug, as it is affected as well. Sadly, Apple doesn’t seem to have made any move to rectify the bug since the revelation by FingerprintJS