back to article Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers. The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository. As …

  1. msobkow Silver badge

    Just puts the boots to Apple's claims about being concerned about "security" not their cash cow when they're talking the app store.

    1. Not Irrelevant

      Apple is only concerned about the perception of security, that's why their zero days stay open so much longer than anyone else's.

  2. HildyJ Silver badge
    FAIL

    TITSUP*

    Apple's decision to maintain its walled garden makes it vulnerable to problems when interacting with non-Apple software. Ideally they would collaborate more to anticipate, mitigate, and correct problems but this seems as likely as their starting to respond th ElReg's requests for comments.

    * Total Inability To Secure User Privacy

    1. b0llchit Silver badge
      Joke

      Re: TITSUP*

      Apple's decision to maintain its walled garden makes it vulnerable to problems when interacting with non-Apple software.

      In other words, functioning as designed. The walled garden is there to prevent non-Apple software from interfering with Apple profits. Therefore, non-Apple software is strongly discouraged and deprecated. The ability to run non-Apple software will soon be removed.

      it would be a joke if this scenario was unthinkable

  3. Not Irrelevant

    Apple's lack of 3rd party browsers on iDevices should be criminal.

    1. chivo243 Silver badge
      Headmaster

      (not available for iOS and iPadOS) ?? What? I have firefox on my iPhone running 15.1. Checks again, yup, there it is firefox next to the calculator and the decibel meter.

      And I'm pretty sure my iPad had both Chrome and Firefox before I turned it in to my employer last month.

      Fact check much?

      1. YetAnotherJoeBlow Bronze badge

        Webkit...

        You do realize that all browsers on Ithings are mandated to use Safaris Webkit.

        You do right?

        1. AMBxx Silver badge
          Facepalm

          Re: Webkit...

          Worryingly, the people commenting on The Register are better informed in these matters than the rest of the population, but still think don't understand the difference between the rendering engine and the browser UI.

          1. W.S.Gosset Silver badge

            Re: Webkit...

            In chivo243's defence, OP (& he) mentioned only browsers. Not their underlying rendering engines.

            OP was wrong re browsers. As chivo243 pointed out. If you retcon OP's comment to be re rendering engines, then OP becomes right and chivo243 becomes wrong. But that requires retconning.

            1. Dinanziame Silver badge

              Re: Webkit...

              From a developer's point of view, the rendering engine is the browser, and the UI is just a skin on top. It's like claiming two cars are different models because they're not painted the same color. Anyway, this article is about a security issue in the rendering engine, so it does not make sense to talk of the skin on top of the rendering engine.

              1. sabroni Silver badge

                Re: From a developer's point of view, the rendering engine is the browser

                No. It isn't. That's like claiming two cars are the same because they share the same engine and chassis.

                The rendering engine is a massive amount of the browser, but the javascript runtime environment is equally important to a developer.

            2. chivo243 Silver badge
              Thumb Down

              Re: Webkit...

              Thanks WS, I thought there was some left hand not knowing what the right hand was dealing in that sentence, NO IOS bla bla. and this is a well respected RAG, so I would hope the authors would be able to discern between a browser wrapper, and an engine... and say so!!

              So, bring on the down votes on this one, I was technically right in what I read... not what the author intended...

              Eadon is that you!??? LOL

              Where's the Linus finger when I really need it?!

      2. Anonymous Coward
        Anonymous Coward

        Have a fact

        Here’s a fact check for you, assuming you believe anything written at https://www.theregister.com/2020/06/29/apple_web_developers/

        > Apple requires that all web browsers on iOS devices use Safari's WebKit rendering engine, which has made mobile browsers on iOS something of a monoculture: Though users may choose to run Chrome on iOS, it's essentially Safari under the hood.

      3. katrinab Silver badge
        Paris Hilton

        Firefox everywhere else uses the Gecko rendering engine. On iOS and iPadOS, it uses the WebKit engine.

    2. veti Silver badge

      It's more than that, it's wholly imaginary. There are several other browsers available on ios and iPad, including Firefox, Opera and more.

      1. Tessier-Ashpool

        All those other browsers rely on iOS webkit, which is the source of this particular vulnerability.

        Depending on your point of view, that’s a good or a bad thing. Personally, given that numerous other iOS apps and services depend on webkit, I’d say that centralising core code this way is for the best, even if the occasional howler surfaces.

  4. Brewster's Angle Grinder Silver badge
    Facepalm

    Privacy? We've not even heard of it!

    This is equivalent to finding you can read files that are chmod 600 for other users. It's that much of an epic failure.

  5. Ace2 Bronze badge

    Whatever

    I will still take web services controlled by Apple over web services controlled by Google, any day of the week.

    1. Korev Silver badge
      Thumb Up

      Re: Whatever

      Me too, also the reason why I switched from Android to iPhone

    2. msobkow Silver badge

      Re: Whatever

      I do not understand the rationale of choosing to go with the more expensive and invasive of the evils. If you think Apple is really any better than Google, I direct you to a history of charges, claims, and lawsuits over the years, on a variety of issues.

      Apple just plays the public perception card of being "security conscious"; it doesn't mean they are any better than anyone else at actually implementing and enforcing security and quality software.

      Thank you for drinking Apple's kool-aid and paying your tithe for choosing an iThing instead of the cheaper and equally invasive eThing from an alternate vendor.

      They all reap you as their data feed. All of them. No exceptions. YOU are both market and product.

      Like politicians, they will say anything to get you to steer your votes/dollars in their direction. Don't mistake "The Message" for reality.

      1. Ace2 Bronze badge

        Re: Whatever

        You think Apple is more invasive than Google? Please explain.

        1. Charlie Clark Silver badge

          Re: Whatever

          From a personal perspective I'd say they're as bad as each other. Yes, Google's business is the mining of personal information for advertising, but when it comes to security it has, at least among tech companies, an enviable track record of identifying and fixing bugs.

          As Apple moves more and more into the services business, it is going to be doing similar things with personal data for Apple Music and Apple TV. And, when it comes to patching software bugs, it has a dismal record, despite the solid underpinnings of MacOS. This is further not helped by the apparent need to fiddle with much of the open source software it makes use of: eg. when openssl bugs are discovered you normally need to wait for an OS update from Apple.

      2. Anonymous Coward
        Anonymous Coward

        Re: Whatever

        > Apple just plays the public perception card of being "security conscious"; it doesn't mean they are any better than anyone else at actually implementing and enforcing security and quality software.

        They do *sort* of earn it in one area of the Mobile space, but only because the competition is so pathetic.

        If you get an iPhone, it'll be getting security updates for much, much longer than the majority of the Android alternatives (which might mean you can hate your dumbed down phone for longer).

      3. katrinab Silver badge
        Gimp

        Re: Whatever

        Google makes their money from advertising. Apple makes their money from selling hardware.

        That is the difference.

    3. Brewster's Angle Grinder Silver badge

      Way to misunderstand the issue

      This is not about a choice between web services controlled by Apple and web services controlled by Google. It's about a web browser controlled by Apple that will allow any web service to read data stored by any other web service.

  6. grizewald

    How long ago?

    "As of 28 November last year, the issue had not been fixed"

    So there's a major credential stealing bug in Safari which has been public since 28 Nov 2021? We are hearing about it now on the 17 Jan 2022??

    Seriously?????

    1. Pascal Monett Silver badge
      Coat

      Re: How long ago?

      Hey !

      Have you heard of the XMas break ?

      1. DJV Silver badge

        Re: Have you heard of the XMas break?

        Yeah, Auntie Mabel had one of those after she'd been at the sherry originally destined for the Christmas pudding and singing "I Won't Decorate Your Christmas Tree This Year" at the top of the stairs...

        ...just before she was suddenly at the bottom of those same stairs.

        1. skeptical i
          Meh

          Re: Have you heard of the XMas break?

          On the off-chance that DJV was not joking, I hope Aunt Mabel is OK. :^\

          So, I suppose using the "clear history and website data" option in iOS settings for Safari between browsings (visit website, close tab, "clear all", open new tab, visit another site, close tab, "clear all", lather rinse repeat) will not help? (Because that'd be too easy, right?)

          1. msobkow Silver badge

            Re: Have you heard of the XMas break?

            Well, except for those of us who have accounts and do work over the internet, including for clients, who will be none too impressed to find out the golden keys to their corporate intranets has been exposed by every iThing using user in their employee roster...

    2. Anonymous Coward
      Anonymous Coward

      Re: How long ago?

      Does appear to be fixed In the latest beta. I used the test site and it didn’t pickup Netflix despite being logged in.

  7. Anonymous Coward
    Anonymous Coward

    Google Account part of the vunerability?

    Good. Never had one, never will.

    Apple dropped the ball on this one. I'm sure that it won't be long before it is fixed will it El Fruity Co? Over to you Tim Apple...

    1. Richard 12 Silver badge

      Re: Google Account part of the vunerability?

      No, just an example

  8. Tim99 Silver badge
    Big Brother

    Google?

    What is this Google? Is the same one that I may occasionally use by typing in "my search terms !g" into DuckDuckGo…

  9. elsergiovolador Silver badge

    Services

    Probably requested by services. Now that is out in public they will have to work out new "bugs" to spy on targets.

  10. Mike 137 Silver badge

    "if one tab was used to access a user's bank and the other a malicious website"

    Question 1. Who would actually be dumb enough?

    Question 2. Should they rely on any software 'policy' to make it safe?

    1. runt row raggy

      Re: "if one tab was used to access a user's bank and the other a malicious website"

      can you clarify "who would be dumb enough" to what? open a bank site in a tab? the malicious site could be one that you normally trust, but has been tricked into doing something it shouldn't. sites that allow you to read your mail come to mind here.

      also, relying on policy to keep you safe. yes. it always comes down to that. there's a policy about which side of the road to drive on. this keeps you safe. there's a policy to not double-dip your chip. this keeps you safe.

  11. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921 Bronze badge

    fscking hell i'm sticking with xp

  12. donnieMurdo

    Private browsing mitigates this somewhat...

    Safari does private browsing a little differently than other browsers, in that each tab is its own session (FF/Chrome all seem to share the same 'private' session between tabs). The above demo would only work if you opened up gmail, signed in then went to that URL. But then again nobody except me seems to use private browsing day to day.

  13. nojava

    Switch to brave

    New iphone user here. I switched to brave on my iphone. Hopefully the bug isn't there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022