2 min read

Apple Prepares iOS 15.3 and macOS 12.2 to Address Nasty Privacy Flaw in WebKit (Safari)

Filip TRUȚĂ

January 25, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Apple Prepares iOS 15.3 and macOS 12.2 to Address Nasty Privacy Flaw in WebKit (Safari)

Apple is preparing new versions of iOS and macOS that include an important fix for a recently discovered flaw in WebKit, the web browser engine used by Safari and many other apps on the two operating systems.

On January 14, researchers from FingerprintJS made a worrying disclosure: a bug in Safari 15’s implementation of the IndexedDB API lets any website track the user’s browsing activity and even reveal their identity.

The team had discovered and reported the issue to the WebKit Bug Tracker on November 28, 2021. Seeing how Apple took too long to address it, they decided to go public and make sure users are at least aware of the flaw. This demo site lets people see the vulnerability in action.

“The demo illustrates how any website can learn a visitor's recent and current browsing activity (websites visited in different tabs or windows) using this leak,” according to Martin Bajanik, Software Engineer at FingerprintJS. “For visitors, logged into Google services, this demo can also leak Google User IDs and profile pictures.”

Apple engineers have since addressed the flaw in internal iOS and macOS builds. 9to5macreports that the latest release candidates (RC) of iOS 15.3 and macOS Monterey 12.2 address the issue.

“When running the same tests on devices updated to iOS 15.3 RC and macOS 12.2 RC, the website shows no data and says that the user is not logged into a Google Account,” Filipe Espósito reports for the Apple-focused news site.

It’s important to note that users are still exposed as these updates have yet to be made public. In a typical development cycle at Apple, a release candidate (RC) build precedes a final release. Those final builds of iOS 15.3 and macOS 12.2 should arrive relatively soon.

Since Apple mandates that WebKit be used by default by any browser on iOS, iPhone and iPad users can’t do much to protect themselves against the flaw – except maybe block all JavaScript by default and only allow it on sites that are trusted, which makes for an inferior browsing experience, to say the least.

macOS users, however, have a decent workaround – set Safari aside and use a different browser until Apple delivers the fix. Notably, Safari 14 is unaffected, so Mac users on older macOS versions and Safari 14 or older are safe.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read