Apple regularly takes steps to make browsing in Safari more secure, such as with the Safari privacy report. But with Safari 15, the current version of the browser on the iPhone, iPad and Mac, Apple has gone wrong. A bug in Safari 15 shares your browsing activity and information associated with your Google account with other websites, FingerprintJS discovered.
Safari 15 bug leaks browser activity and Google data
The bug is caused by the way the IndexedDB API is used in Safari. This is a tool that all major browsers use to build local databases. This tool works according to a so-called same-origin policy, which means that only the source that provides the information can consult it as the only one. But the bug causes Safari to ignore this policy. When you visit a website, the API creates a database for it. But at the same time, an empty database with the same name is created in all other tabs and windows within that same browser session. This allows other websites to see the name of the database and thus view your browsing activities.
But websites and services that use Google also record your unique Google User ID in the name of those databases. This unique code is used to retrieve certain personal data from your Google account. For example, think of your profile picture. In this way, other sites can retrieve personal data from your Google account.
Demo and what you can do yourself
There is a demo website where you can see for yourself which websites you have visited recently can see the database names. You will also see your own unique Google User ID and the associated profile picture. Unfortunately, there is nothing you can do at this point to work around the bug. The bug is also active in a private window. On the Mac you can choose to use a different browser, but on the iPhone and iPad it's a different story. Since all browsers there have to use WebKit (the engine behind Safari), all browsers there are affected. The discoverers already reported the bug to the WebKit Bug Tracker at the end of November 2021, but to date it has not been solved.