Stop Using Safari Immediately (at Least for Now)

Stop Using Safari Immediately (at Least for Now)
Photo: Nicole Lienemann, Shutterstock

Despite some recent negative press about AirTags revolutionising the stalking industry, Apple has developed a good reputation compared to other big tech companies when it comes to privacy and security. Knowing this, you might be surprised to learn that Apple’s own web browser, Safari, isn’t safe to use right now on any of the company’s platforms, including Mac, iOS, and iPadOS.

A critical Safari issue can leave some of your Google Account data and browsing history open for theft through an IndexedDB implementation bug. When you normally visit a website, that site should only be able to access any databases created by its own domain name. This bug, however, allows websites to see other databases — and to scrape those databases for information like your Google Account avatar, personal data, or browsing history.

Using FingerprintJS’ test site Safari Leaks, you can see this issue in action. When you open it in Safari, the site might be able to grab your Google User ID right away. Even if it can’t, you can open any of its test websites in a new tab, and return to Safari Leaks to see that browsing history reported almost immediately. If Safari were working properly, this type of information wouldn’t be accessible to Safari Leaks, since the site would only be able to access data from databases created by its domain. But it can scrape information from Alibaba, Instagram, Twitter, and potentially other websites that use the IndexedDB JavaScript API.

FingerprintJS was the first to report on the bug, but its Jan. 14 blog post wasn’t the first time the bug was made public. According to FingerprintJS, this issue was posted to the WebKit Bug Tracker Nov. 28 of last year — but it wasn’t until Sunday, Jan. 16 that Apple began work on a patch, meaning the bug has been running untreated for at least the past seven weeks.

Now, Apple is officially working on a patch for this security flaw, but until the fix is here, Safari remains vulnerable.

What to do about this Safari security threat

If you’re on Mac, an easy workaround is to simply use another browser. Chrome, Firefox, Edge, Opera, have your pick. Unfortunately, the same can’t be said for those of us on iOS and iPadOS. While you’ll find these browsers on the App Store, they aren’t actually the same browsers you get on Mac.

Apple, being Apple, doesn’t let developers make their own full-fledged browsers for iPhone and iPad. Instead, developers get to add their browser’s features to Safari, and “sell” it as a separate browser. While Chrome on iOS might seem like the mobile version of the desktop browser, it’s really Safari with a Google skin on top. Sure, you can use convenient features like data sync between Chrome on your Mac and iPhone, but the one you use on mobile is actually Apple’s core.

Normally, that’s not a huge deal (although it is annoying). With security issues, however, you can’t swap out your browser like you can on Mac. Until Apple issues a fix for Safari across its three big platforms, using the internet on iPhone or iPad is going to be risky, regardless of which “browser” you use.

[9to5Mac]

Log in to comment on this story!