Apple is in the works to fix a serious Safari bug that allows access to your Google ID

Recently, we reported on a serious Safari bug that could let websites track your browsing history and Google ID on iOS 15 and iPadOS 15. Now, AppleInsider reports that Apple is currently working to resolve the bug as soon as possible.

Apple working to resolve the Safari bug you can do basically nothing about

A few days ago, we reported on the bug that was found by researchers, an issue that affected the way Apple had implemented IndexedDB API in Safari 15. Pretty much, the bug allows any website to track the browser's internet activity, which could in its way determine a user's identity.

This quite serious bug, luckily, is about to get its solution from Apple, as Cupertino is now preparing a fix for it, according to a WebKit commit on GitHub. So far, the fix has not been rolled out yet, and it will be available when the update comes for iOS 15, iPadOS 15, and macOS Monterey.

At least we now know the bug has been acknowledged and an update could be coming soon.

What is this Safari bug exactly?

This bug affects iOS 15, iPadOS 15, and macOS Monterey, basically the operating systems that have Safari 15. The bug was found in an Application Programming Interface (API) used and supported by most browsers, and it could be used by attackers to find out many things about the user browsing. The problematic API is called IndexedDB, and it has a significant amount of data it holds.

Typically, the API should allow a site to access data that it generated only, and not to access other websites' data. However, Safari 15's bug violates a policy that would ensure the correct functioning of the API. The researchers that discovered it claim that whenever a website interacts with the database of the API, a new empty database using the same name is created in all other active frames, tabs, and windows within the same browser session.

Basically, the bug allows websites to get access to your Google ID. It can present an attacker with a lot of personal information about you. This can be used to identify a specific Google account, reveal your profile picture to the hacker. Additionally, it could allow the hacker to unravel multiple separate accounts owned by the same user.

Unfortunately, this bug allows a potential hacker to get access to this info without you doing anything in particular (no clicking on weird links or downloading click-baity photos required). Here's what the researchers' report stated "A tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site."

Is there a way to protect yourself?

Pretty much, unfortunately, there is little Safari users can do about the issue, other than wait for the bug to be fixed by Apple and update their devices as soon as the update is released. It is possible to block JavaScript by default and enable it only on trusted websites, but this could harm the browsing experience.

Another alternative is to temporarily use a different browser, instead of Safari. Despite that, the researchers have admitted that the only real protection against this bug is Apple releasing a fix and you updating your device (iPhone, iPad, or Mac) as soon as it is released.

So far, it is unknown when Apple will complete the fix for the bug and when the update will be rolled out. When we know more, we'll make sure to inform you, so stay tuned!