Apple Is Not Always Safe, Safari Browser Turns Out To Expose Users' Personal Information

JAKARTA - Apple is known as a company that touts privacy and security on all its devices and applications, but in reality it is the opposite of the case that recently happened.

According to a report uploaded on WebKit Bug Tracker by FingerprintJS, Apple's Safari browser application has a vulnerability in it that could expose users' browsing history and personal information.

The bug introduced in Safari 15 comes from the Indexed Database API which is part of Apple's WebKit. APIs are used to store data on websites that users have visited so that they load faster when they return.

IndexedDB must stop data from one source from interacting with data from other sources. However, having a bug means that it doesn't happen.

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API violates the same origin policy. Every time a website interacts with a database, a new (blank) database with the same name is created across all tabs, and other active windows within the same browser session," said software engineer Martin Bajanik, as quoted by The Independent, Tuesday, January 18. .

"This allows arbitrary websites to learn what websites the user is visiting in different tabs or windows. This is possible because database names are usually unique and specific to the website."

Sometimes, Bajanik says, this includes unique user-specific information, allowing people to be tracked after using YouTube, Google Calendar, or Google Keep and others.

“All these websites create databases that include authenticated Google User IDs and if a user is logged in to multiple accounts, databases are created for all of these accounts,” said Bajanik.

Unfortunately, Safari for iPadOS and iOS users can't do anything in this case, only they can block all JavaScript access, but it will make their surfing experience uncomfortable.

While Safari users on Mac can use a different browser, all browsers on iOS and iPadOS use Apple's WebKit, including competitors like Google Chrome. Of the 1000 most visited websites vulnerable due to this weakness include Instagram, Netflix, Twitter and Xbox.