Safari 15 Bug Leaks Some Browser History & Google Account Info

Jan 17, 2022 - 6 Comments

Indedexdb Safari 15 bug leaks browser data

A significant Safari bug has been disclosed publicly by FingerPrintJS, impacting Safari 15 on MacOS, iOS, and iPadOS.

What does the Safari 15 IndexedDB bug do?

The bug allows the Safari 15 browser to leak user browser history, along with identifying Google account information in the form of a unique Google user ID. This information could be gathered by websites or nefarious web pages.

An example of the type of information is available of the demo link below:

The Safari bug was apparently “reported to the WebKit Bug Tracker on November 28, 2021 as bug 233548” but for whatever reason Apple has not fixed it yet. Now that the bug has gained press attention, it’s likely that a bug fix patch will be released quickly.

If you’re interested in learning more about the bug and how it works, the video embedded below describes further.

What browsers and devices are impacted by the Safari 15 IndexedDB bug?

The following devices and browsers are potentially impacted by the IndexedDB bug: Safari 15.2 and earlier on Mac, Safari on iOS 15.2 and earlier, Safari on iPadOS 15.2 on earlier.

What can be done to protect yourself from the Safari 15 bug?

If this potential data leaking bug concerns you, the only way to currently protect yourself on the Mac is by temporarily switching to another web browser, like Google Chrome, Firefox, Microsoft Edge, or Brave.

While Safari is an excellent web browser, the other browsers that are not impacted by this bug are also great too, and it can be useful to have an alternate web browser or several available for a variety of reasons, privacy included. Users interested in doing so can grab Brave, Chrome, Firefox, or Microsoft Edge.

It is likely that Apple will soon address the issue by releasing an update to Safari for Mac, and an iOS and iPadOS update separately.


Related articles:

Posted by: Paul Horowitz in News, Security


» Comments RSS Feed

  1. Anonymous says:

    Just uninstall it :^)

  2. KenH says:

    I watched the video. I’m no tech dummy, but this video was incomprehensible. I have no idea what it was trying to say.

    • Damon says:

      1. A website you visit can determine some other websites you’ve visited.

      2. If you are signed-in with a Google account (a substantial proportion of the web using public) the website can determine your Google account, even though you have not signed-in to that website with your Google account.

      Both are “information disclosure” vulnerabilities, the 2nd worse than the 1st.

  3. OneOfTheDamons says:

    It’s worse for iOS/iPadOS than the article implies, because the bug is in the WebKit component which *all* browsers on iOS/iPadOS must use per Apple App Store policy.

    So using another browser on iOS/iPadOS won’t workaround this security vulnerability, I’m afraid.

  4. JohnIL says:

    No excuse for a significant bug like this going unpatched for so long.
    Especially since you cannot use an alternative web engine in IOS which Apple forces any browser even Chrome to use WebKit. At least with Mac OS you can install a different browser which right now is the only work around. If Apple was really concerned about privacy, it should fix bugs in its own apps much sooner. Why is this so hard when WebKit is only used for Safari these days??

    • Damon says:

      Apple’s insistence on the WebKit monopoly on its mobile platforms is asking for a vulnerability such as this to be exploited.

Leave a Reply


Shop on and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks


iPhone / iPad



Shop on Amazon to help support this site