Apple prepared a fix for a WebKit bug that could reveal users’ recent browsing history and possibly their identity. However, it’s not clear when the tech giant will release updates with the fix.
According to MacRumors, a WebKit commit (typically refers to a revision made to code) on GitHub fixes a bug. However, Apple has not said when users could expect macOS, iOS or iPadOS updates to arrive with the fix. A January 14th blog post from FingerprintJS noted that the bug was reported to Apple on November 28th, 2021.
In short, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites. Put another way, a website can access a list of other websites you’ve visited (even from different tabs or windows) if they’ve stored data using this API. Typically, browsers apply same-origin policy to IndexedDB to prevent sites from accessing anything outside of their own IndexedDB database.
Moreover, sometimes websites include unique user-specific identifiers in IndexedDB database names. MacRumors pointed to YouTube as an example, which creates databases that include users’ authenticated Google User ID in the name. Malicious actors could use this identifier to fetch personal information about users through Google APIs, such as their profile picture or name.
The WebKit bug affects Safari on macOS Monterey, iOS 15 and iPadOS 15. On iOS and iPadOS, Apple also forces third-party browsers to use the WebKit engine — that means browsers like Chrome and Edge running on iOS/iPadOS 15 are also affected. However, the bug doesn’t affect older versions of macOS, or iOS and iPadOS 14.
Ultimately, that means iOS and iPadOS users can’t really do anything to protect themselves from the bug beyond installing the software patch whenever Apple makes it available. For macOS users, however, switching to another browser would work.
Those interested in learning more about the bug should check out a deep-dive on it from FingerprintJS.