Security firm FingerprintJS released a report of an error found in the iOS 15 version of the Safari mobile browser. The report states that this error “allows any website to track your internet activity and even reveal your identity.” An error found in the application programming interface (API) used and supported by most search engines can be used by attackers to learn many things about you.
Developers use APIs to connect parts of software with other software, which facilitates program development. One such API, called IndexedDB, is supported by most major search engines and contains what the report calls a “significant amount of data.”
The bug in iOS 15, iPadOS 15 and macOS allows random websites to know which other sites the user is visiting on other windows and tabs. This is possible because sites such as YouTube, Google Calendar, and Google Keep use “unique user-specific identifiers” in the names of their databases. As a result, authenticated users can be identified because the above-mentioned sites create databases that include the Google ID of the user belonging to the user, and the databases are opened for all accounts used.
Google’s user ID leads the attacker to a wealth of personal information. Each of them can be used to identify a specific Google account and, in combination with Google APIs, can, at the very least, reveal an image of your profile to a hacker. It could also help the attacker collect much more personal data and discover “multiple separate accounts” owned by the same user, Phonearena writes.
Unfortunately, this does not require you to perform any specific action because the report states that a tab or window that runs in the background and constantly asks the IndexedDB API for available databases can find out which other sites the user is visiting in real-time. Alternatively, websites can open any website in an iframe or pop-up window to trigger an IndexedDB-based leak for that particular site. “
FingerprintJS checked with the 1,000 most visited Alexa sites and found that 30 interacted with indexed databases directly on their homepage, without any interaction or authentication required by the user. Even if a person uses private mode in Safari, if he visits several websites using the same card, all the databases he interacted with leak to the sites that the user subsequently visits.
If you want to check this out on your iPhone or iPad, open Safari and direct it to safarileaks.com and follow the simple instructions. The name of the last site you visited (if it was one of the sites listed on the Demo page) appears quickly, and your unique Google user ID can be accessed.
Honestly, the only solution you have is to wait for Apple to update the iOS and iPadOS software and be sure to install it as soon as it is released. Again, if you’re using a Mac, changing the browser is a valid option, although that’s not the case with iOS and iPadOS. And keep in mind that users do not have to perform any specific action to trigger this error.