Apple Safari browser bug allows websites to access browsing history and other information

There is a bug in Apple Safari 15 web browser that can leak a user's personal information, including the browsing history. It was discovered by a browser fingerprinting service called FingerprintJS. According to the official blog post, all the current Safari web browsers that are functional on the iPhones, Mac and iPads are affected and can be exploited by notorious websites to extract users' information without their knowledge. 

FingerprintJS reported the bug to Apple back in November 2021, but the company has not resolved the issue. The published report says that it is Apple's implementation of the IndexedDB API that violates the same-origin policy which essentially allows a website to access only the database created by its own domain, hiding other activities of the user from the website. As mentioned earlier, the Safar browser is affected by the bug. 

How can the Safari browser bug affect a user?

The bug is present in Safari's IndexedDB API on both iOS and Mac devices. Normally, a website is able to access only the data related to its own domain while a user browses through it. However, because of the bug, any website can learn about the recent browsing history of a user and current browsing activity, including the name of the website visited and other information related to a user's Google ID.

Google services use the IndexedDB API to store information about all the logged-in accounts on a device. Using the bug, a website can access users' information related to their personal accounts. In a recent live demo of how the bug works, it has been shown to access users recent browsing history along with their profile pictures. Potentially, all the websites that use the IndexedDB API JavaScript can access users' data.  

What is IndexedDB API?

As mentioned on Mozilla web docs, IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs. The API uses indexes to enable high-performance searches of this data. In other words, the API is a solution for storing large amounts of data on the cloud while surfing the web, and it stores the information on the browser itself. In this case, it is the implementation of this API that is causing the problem with Apple's Safari web browser.