macOS Monterey 12.2 and iOS 15.3 Release Candidates Fix Safari Bug That Leaks Browsing Activity

by

The macOS Monterey 12.2 and iOS 15.3 release candidates that came out today appear to address a Safari bug that could cause your recent browsing history and details about your identity to be leaked to malicious entities.

safari icon blue banner
As shared last week by browser fingerprinting service FingerprintJS, there is an issue with the WebKit implementation of the IndexedDB JavaScript API. Any website that uses IndexedDB can access the names of IndexedDB databases generated by other websites during the same browsing session.

The bug permits a website to spy on other websites that the user visits while Safari is open, and because some websites use user-specific identifiers in their IndexedDB database names, personal information can be gleaned about the user and their browsing habits.

Browsers that use Apple's WebKit engine are impacted, and that includes Safari 15 for Mac and Safari for iOS 15 and iPadOS 15. Some third-party browsers like Chrome are also affected on iOS and iPadOS 15, but the macOS Monterey 12.2, iOS 15.3, and iPadOS 15.3 updates fix the vulnerability.

FingerprintJS constructed a demo website to let users check to see whether they're impacted, and as 9to5Mac notes, after updating to the new software, the website detects no security holes.

The website is designed to tell users details about their Google accounts. On iOS 15.2.1 and macOS Monterey 12.1, we tested and the demo website was able to detect our Google account. After updating to the macOS Monterey 12.2 RC and the iOS 15.3 RC, the demo website no longer detects any data.

Apple earlier this week prepared a fix for the bug and uploaded it to the WebKit page on GitHub, so we knew that Apple was working to address the vulnerability. With the macOS Monterey 12.2 and iOS 15.3 release candidates now available, we could see these updates be made available to the public as soon as next week.

Tag: Safari
Related Forums: iOS 15, macOS Monterey

Popular Stories

iPhone 16 Pro Sizes Feature

iPhone 16 Launch Is Just One Month Out – Here's Everything We Know

Saturday August 10, 2024 5:00 am PDT by
Apple typically releases its new iPhone series in the fall, and a possible September 10 announcement date has been floated this year, which means we are just one month away from the launch of the iPhone 16. Like the iPhone 15 series, this year's lineup is expected to stick with four models – iPhone 16, iPhone 16 Plus, iPhone 16 Pro, and iPhone 16 Pro Max – although there are plenty of design...
Read Full Article240 comments
macbook pro bb cyber

Apple's M3 MacBook Pro Gets Up to $1,000 Off In Major New Sales, Starting at $1,299 [Updated]

Sunday August 11, 2024 1:54 pm PDT by
Apple's M3 MacBook Pro is seeing multiple high value discounts on Best Buy and Amazon today, with up to $1,000 off select models. This includes a new all-time low price on the entry-level M3 512GB 14-inch MacBook Pro at $1,299.00, down from $1,599.00, and a massive $1,000 discount on the high-end 16-inch model exclusively for Best Buy members. Note: MacRumors is an affiliate partner with Best...
Read Full Article78 comments
iPhone 16 Pro Right Side Feature

The iPhone 16 is Getting a New Button: Here's What It Can Do

Tuesday August 13, 2024 4:01 pm PDT by
Multiple rumors have suggested that the iPhone 16 models are going to have an all-new button that's designed to make it easier to capture photos when the devices are held in landscape mode. Apple calls the button the Capture Button internally, and it is going to be one of the most advanced buttons that's been introduced to date with support for multiple gestures and the ability to respond to ...
Read Full Article173 comments
iOS 18 on iPhone Feature

Everything New in iOS 18.1 Beta 2 and iOS 18 Beta 6

Monday August 12, 2024 2:32 pm PDT by
Apple is beta testing iOS 18 and the first update to iOS 18 concurrently, and we got the second betas of iOS 18.1, iPadOS 18.1, and macOS Sequoia 15.1 today alongside the sixth betas of iOS 18, iPadOS 18, and macOS Sequoia 15. Many of the changes in iOS 18.1 are focused on bringing the .1 betas in line with the standard betas, which recently received updates to Photos and Safari, while...
Read Full Article77 comments
Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Thursday August 8, 2024 4:40 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
Read Full Article164 comments
iPhone 17 Slim Feature Single Camera 2

Next Year's Slim iPhone 17 Could Be an 'iPhone Air'

Monday August 12, 2024 8:43 am PDT by
Apple's rumored iPhone 17 "Slim" could be positioned as an iPhone "Air" to boost sales, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman explained how the "fourth" model in the iPhone lineup since 2020 (the iPhone 12 mini, iPhone 13 mini, iPhone 14 Plus, and iPhone 15 Plus) has largely been a commercial failure. In the case of the Plus model,...
Read Full Article154 comments

Top Rated Comments

Dave-Z Avatar
Dave-Z
34 months ago

As discovered last week ('https://www.macrumors.com/2022/01/16/safari-15-webkit-indexeddb-bug/') by browser fingerprinting service FingerprintJS
It wasn't discovered last week. It was discovered last year, November 2021. It was disclosed to the public last week.


we knew that Apple was working to address the vulnerability in a timely manner
Addressing the issue nearly two months after it having been reported is not timely, especially considering this patch still hasn't reach the public. If the update comes out in one week that will have been two months since Apple first learned about it.
Score: 31 Votes (Like | Disagree)
centauratlas Avatar
centauratlas
34 months ago
"address the vulnerability in a timely manner.".

But is it really timely? Sure, timely since it was made public, but was it timely since they first were informed of it? I'd say no.
Score: 16 Votes (Like | Disagree)
CaTOAGU Avatar
CaTOAGU
34 months ago
It really does feel a bit silly that we’re still having to wait on OS level updates to fix a bug in a web browser.
Score: 15 Votes (Like | Disagree)
IGI2 Avatar
IGI2
34 months ago

It wasn't discovered last week. It was discovered last year, November 2021. It was disclosed to the public last week.



Addressing the issue nearly two months after it having been reported is not timely, especially considering this patch still hasn't reach the public. If the update comes out in one week that will have been two months since Apple first learned about it.
But to be fair, Google Project Zero (and others) has a disclosure policy of 90 days.

We know that this is a privacy breach, but still, modern OSs are fairly complex. Getting to know about it, analysis, fixing it, incorporating in all variants, QA testing, and distributing it to all end users across the globe in one time, whether it's iPhone 6s or iPhone 13 Pro Max is still within reasonable "timely" manner.

We know that they had some public pressure; that's why it's even shorter if we count days since it landed in the news.
Score: 9 Votes (Like | Disagree)
beanbaguk Avatar
beanbaguk
34 months ago
To all those members complaining about the "timely manner" statement. I would say this is very timely and your complaints indicate you have no experience in software development.

I've been in software development for many years (I am a Head of Product at a software technology company), and patching something isn't just a 5-minute job, even if you know what the issue is and how to fix it.

A small change on an API will impact many, many areas of a product and this means thorough testing is required, and diligence of any related libraries and products.

This is hugely time-consuming and since this product impacts so many platforms, it's not just a case of patching and letting it go into the wild. Especially in this instance, a security audit would have to also be conducted to show the result works, and this would have to be verified by multiple organisations.

Then, the patch has to be tested to ensure it deploys safely and correctly over the air. That update process takes time to implement, manage and check. It then needs checking again, more testing and feedback from users (beta), and devs to ensure they are not experiencing any issues. Again, all this takes time.

I hope this provides some perspective as to how and why these fixes take a little time.

It reminds me of the days when I used to build websites for clients. Talking to an individual who has zero ideas as to the complexities of a solid product is the most infuriating and patience-testing experience as a developer.

Anyway. Two months for a fix like this on this scale is perfectly acceptable.
Score: 8 Votes (Like | Disagree)
Macintosh TV Avatar
Macintosh TV
34 months ago
Mozilla has security issues that are more than 2 years old and filed in their system. Chrome has outstanding security issues older than this. Folks need to settle down. This stuff happens. It gets fixed. If you're unhappy with the speed at which a browser or OS patches issues, then it may be time to look elsewhere.
Score: 8 Votes (Like | Disagree)
Read All Comments