Apple Once Again Fails To Take Security Seriously As Evidenced By This Safari Bug

Apple really doesn’t help their own cause by not taking security seriously despite claiming to do so. Case in point is this now public bug that has now been disclosed in this blog post from FingerprintJS which can leak data from Safari. Specifically, a website can see the names of databases for any domain, not just its own. The database names can then be used to extract identifying information from a lookup table. That is far from trivial as this means that this bug can disclose information about your recent browsing history and even some info of the logged-in Google account.

Don’t believe me? That’s fine. Feel free to try this for yourself via this live demo using Safari on iOS or macOS. I’ll wait.

Now that’s bad. But what is worse is this:

The leak was reported to the WebKit Bug Tracker on November 28, 2021 as bug 233548.

Clearly Apple doesn’t care about this. And according to FingerprintJS, there’s no way to protect yourself:

Unfortunately, there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted. This makes modern web browsing inconvenient and is likely not a good solution for everyone. Moreover, vulnerabilities like cross-site scripting make it possible to get targeted via trusted sites as well, although the risk is much smaller. Another alternative for Safari users on Macs is to temporarily switch to a different browser. Unfortunately, on iOS and iPadOS this is not an option as all browsers are affected.

The only real protection is to update your browser or OS once the issue is resolved by Apple. In the meantime, we hope this article will raise awareness of this issue.

Well, now that it’s public, it’s going to get resolved quickly. I guarantee that. But Apple has yet again dropped the ball and forced someone to go public with an issue that Apple should have taken far more seriously much earlier.

Shame on Apple.

UPDATE: To nobody’s surprise, this has been fixed in macOS 12.2 as well as iOS 15.3.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: