large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

This Safari bug could be leaking your recent browsing history

It’s been uncovered that a Safari 15 bug can disclose your recent browsing history and even some info from logged-in Google accounts.

A blog post from FingerprintJS (via 9to5mac) has revealed that a huge bug in Safari 15 can actually leak your recent browsing history from the app.

Anyone that has linked their Google account onto Safari could also be at risk of their personal information being revealed too.

This vulnerability has been linked back to an issue with the way Apple implements IndexedDB, which is an application programming interface (API) that stores data on your browser.

The bug means that a website can see the names of databases for any domain on Mac and iOS, not just their own. Using the names, websites can extract identifying information from a lookup table.

Trusted Reviews
Kaspersky Total Security – Now 60% off

Kaspersky Total Security – Now 60% off

Award-winning protection against hackers, viruses and malware. Includes, Free VPN, Password Manager and Kaspersky Safe Kids.

USE code: KTSQ210 to save an additional 10% on top of the already fantastic 50% discount

  • CODE: KTSQ210
  • 60% off
  • £16 per year
View Offer

For instance, if you were to open up your email on one webpage and then open up another webpage that happens to be malicious, Apple’s application of API means that the malicious website can view your email and scrape your Google User ID, which can be used to find out more information about you.

Usually, a policy called same-origin policy would block this from happening, as it restricts one origin from interacting with data that is collected elsewhere; in other words, if you were to open your email and then a malicious website, the dangerous website would have no way of accessing your email or other webpages you interact with.

FingerprintsJS also mocked up a proof-of-concept demo, which shows us a lookup table of around 30 domain names that include the browser’s IndexedDB vulnerability, including Netflix, Twitter and Xbox. You can use the site if you have Safari on any Apple device to see any sites you have opened recently and see how the bug can access your information.

However, it has been pointed out that the same technique could be used on a larger set of domain names, with any website that uses IndexedDB JavaScript API now vulnerable to data scraping.

Unfortunately, all current versions of Safari on iOS and Mac are unprotected, with Apple currently not commenting on the issue that was originally reported by FingerprintJS on 28 November.

We will be sure to keep you updated with this leak as soon as more information comes out. We have reached out to Apple for a comment but had not heard back at the time this article was written.

Trusted Reviews
Kaspersky Total Security – Now 60% off

Kaspersky Total Security – Now 60% off

Award-winning protection against hackers, viruses and malware. Includes, Free VPN, Password Manager and Kaspersky Safe Kids.

USE code: KTSQ210 to save an additional 10% on top of the already fantastic 50% discount

  • CODE: KTSQ210
  • 60% off
  • £16 per year
View Offer

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.