A bug in the Safari browser has led to some websites being able to siphon personal user data, regardless of whether or not private browsing is being used, reports FingerPrintjs.
In a day and age where the general populace is increasingly paranoid about how their data is being used online by corporations, and everyone’s looking into getting VPNs and restricting online access to personal information, Apple decided to do truly something different: the exact opposite of what everyone needs to be done. The Safari browser has made it so that websites can easily access an individual user’s data, regardless of whether or not they’re sharing third-party cookies. What this means is that even incognito mode, which automatically blocks cookies, is rendered completely useless. Overall, maybe users should start looking into using other browsers until Apple patches Safari up. How did all of this transpire? Well, it all starts with a little thing called IndexedDB.
The Indexed Database API, commonly known as IndexedDB, is a database that many different browsers use, providing more storage capacity and caching offline data from all sorts of different websites. Typically, however, browsers create entirely separate instances of IndexedDB for different websites, all of which can only be accessed by the sites that they were created for in the first place. Safari, however, accidentally goes a step further: instead of stopping at creating individual IndexedDBs for the different sites, the browser creates additional empty ones with the same name and shares them across all of the websites that a user browses. When an IndexedDB is created, even a fully empty one will contain certain information that can prove detrimental to a user. The mildest offense, which is still rather worrying, is that the empty DBs still have the names of the websites they were created for, and therefore your browser history is an open book for other websites to leaf through.
Troubles dig a bit deeper than just browser history, since some IndexedDBs such as ones made for Google app (YouTube, Gmail) contain more than just the website name: they include individual user credentials such as usernames or passwords. Since users often have the tendency of sharing these across multiple platforms, this information can prove to be seriously debilitating if it falls into the wrong hands.
Apple’s always taken a very hands-on approach to user privacy and security, with the Tracking/Transparency features of the iOS 14 being a shining example of such behavior. I suspect this Safari bug to be little more than an oversight; one that the company will hopefully remedy as soon as possible.
Read next: 95 Percent of Cybersecurity Breaches Are Caused by Human Mistakes, World Economic Forum Says
In a day and age where the general populace is increasingly paranoid about how their data is being used online by corporations, and everyone’s looking into getting VPNs and restricting online access to personal information, Apple decided to do truly something different: the exact opposite of what everyone needs to be done. The Safari browser has made it so that websites can easily access an individual user’s data, regardless of whether or not they’re sharing third-party cookies. What this means is that even incognito mode, which automatically blocks cookies, is rendered completely useless. Overall, maybe users should start looking into using other browsers until Apple patches Safari up. How did all of this transpire? Well, it all starts with a little thing called IndexedDB.
The Indexed Database API, commonly known as IndexedDB, is a database that many different browsers use, providing more storage capacity and caching offline data from all sorts of different websites. Typically, however, browsers create entirely separate instances of IndexedDB for different websites, all of which can only be accessed by the sites that they were created for in the first place. Safari, however, accidentally goes a step further: instead of stopping at creating individual IndexedDBs for the different sites, the browser creates additional empty ones with the same name and shares them across all of the websites that a user browses. When an IndexedDB is created, even a fully empty one will contain certain information that can prove detrimental to a user. The mildest offense, which is still rather worrying, is that the empty DBs still have the names of the websites they were created for, and therefore your browser history is an open book for other websites to leaf through.
Troubles dig a bit deeper than just browser history, since some IndexedDBs such as ones made for Google app (YouTube, Gmail) contain more than just the website name: they include individual user credentials such as usernames or passwords. Since users often have the tendency of sharing these across multiple platforms, this information can prove to be seriously debilitating if it falls into the wrong hands.
Apple’s always taken a very hands-on approach to user privacy and security, with the Tracking/Transparency features of the iOS 14 being a shining example of such behavior. I suspect this Safari bug to be little more than an oversight; one that the company will hopefully remedy as soon as possible.
Read next: 95 Percent of Cybersecurity Breaches Are Caused by Human Mistakes, World Economic Forum Says