Safari 15 may include a significant security issue for which there is now no fix available

Security experts have discovered a huge hole in Apple’s newest internet browser that is leaking browsing history and even certain identifying data stored in related Google accounts.

Per a blog post by cybersecurity firm FingerprintJS, the issue stems from an Apple API called IndexedDB, which is used to store data in Safari 15.

Safari 15 has a security feature that stops malicious pages from reading data created by websites open in another tab when they are opened in one tab. According to FingerprintJS, Safari 15’s IndexedDB API ignores this restriction (known as the same-origin policy), instead creating “a new (empty) database with the same name in every other active frames, tabs, and windows inside the same browser session.”

There is currently no patch available

The researchers also detailed how the weakness might be exploited to get access to Google account information. Google’s services (such as YouTube) create databases with the Google User ID included in their names. Other sites may be able to view this information since these IDs are used to access public information, such as a profile picture.

The researchers have created a demo, which you can see at this link, to demonstrate how a website may learn about a visitor’s previous and present browsing activities. It now finds 30 impacted sites, but the list is likely far more.

There does not seem to be a remedy to the issue at this time. The bug also impacts Safari’s Private Browsing mode, according to The Verge, and with Apple’s third-party browser engine restriction on iOS, all other browsers are impacted as well.

The problem was reported to Apple’s WebKit Bug Tracker in late November of last year, but the company has yet to offer a browser update and has been mute on the issue.

According to the researchers, one approach is to ban all JavaScript by default and enable it only on trustworthy sites. However, they found that current web browsing is “inconvenient” and “likely not an acceptable answer for everyone.”