Just puts the boots to Apple's claims about being concerned about "security" not their cash cow when they're talking the app store.
Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more
An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers. The vulnerability was discovered by fraud detection service Fingerprint JS, which has contacted the WebKit maintainers and provided a public source code repository. As …
COMMENTS
-
Monday 17th January 2022 19:17 GMT Anonymous Coward
TITSUP*
Apple's decision to maintain its walled garden makes it vulnerable to problems when interacting with non-Apple software. Ideally they would collaborate more to anticipate, mitigate, and correct problems but this seems as likely as their starting to respond th ElReg's requests for comments.
* Total Inability To Secure User Privacy
-
Monday 17th January 2022 19:56 GMT b0llchit
Re: TITSUP*
Apple's decision to maintain its walled garden makes it vulnerable to problems when interacting with non-Apple software.
In other words, functioning as designed. The walled garden is there to prevent non-Apple software from interfering with Apple profits. Therefore, non-Apple software is strongly discouraged and deprecated. The ability to run non-Apple software will soon be removed.
it would be a joke if this scenario was unthinkable
-
-
-
Tuesday 18th January 2022 06:45 GMT chivo243
(not available for iOS and iPadOS) ?? What? I have firefox on my iPhone running 15.1. Checks again, yup, there it is firefox next to the calculator and the decibel meter.
And I'm pretty sure my iPad had both Chrome and Firefox before I turned it in to my employer last month.
Fact check much?
-
-
-
Tuesday 18th January 2022 09:30 GMT W.S.Gosset
Re: Webkit...
In chivo243's defence, OP (& he) mentioned only browsers. Not their underlying rendering engines.
OP was wrong re browsers. As chivo243 pointed out. If you retcon OP's comment to be re rendering engines, then OP becomes right and chivo243 becomes wrong. But that requires retconning.
-
Tuesday 18th January 2022 11:18 GMT Dinanziame
Re: Webkit...
From a developer's point of view, the rendering engine is the browser, and the UI is just a skin on top. It's like claiming two cars are different models because they're not painted the same color. Anyway, this article is about a security issue in the rendering engine, so it does not make sense to talk of the skin on top of the rendering engine.
-
Tuesday 18th January 2022 13:53 GMT sabroni
Re: From a developer's point of view, the rendering engine is the browser
No. It isn't. That's like claiming two cars are the same because they share the same engine and chassis.
The rendering engine is a massive amount of the browser, but the javascript runtime environment is equally important to a developer.
-
-
Tuesday 18th January 2022 18:01 GMT chivo243
Re: Webkit...
Thanks WS, I thought there was some left hand not knowing what the right hand was dealing in that sentence, NO IOS bla bla. and this is a well respected RAG, so I would hope the authors would be able to discern between a browser wrapper, and an engine... and say so!!
So, bring on the down votes on this one, I was technically right in what I read... not what the author intended...
Eadon is that you!??? LOL
Where's the Linus finger when I really need it?!
-
-
-
-
Tuesday 18th January 2022 11:16 GMT Anonymous Coward
Have a fact
Here’s a fact check for you, assuming you believe anything written at https://www.theregister.com/2020/06/29/apple_web_developers/
> Apple requires that all web browsers on iOS devices use Safari's WebKit rendering engine, which has made mobile browsers on iOS something of a monoculture: Though users may choose to run Chrome on iOS, it's essentially Safari under the hood.
-
-
-
Tuesday 18th January 2022 09:12 GMT Tessier-Ashpool
All those other browsers rely on iOS webkit, which is the source of this particular vulnerability.
Depending on your point of view, that’s a good or a bad thing. Personally, given that numerous other iOS apps and services depend on webkit, I’d say that centralising core code this way is for the best, even if the occasional howler surfaces.
-
-
-
-
Monday 17th January 2022 21:25 GMT Anonymous Coward
Re: Whatever
I do not understand the rationale of choosing to go with the more expensive and invasive of the evils. If you think Apple is really any better than Google, I direct you to a history of charges, claims, and lawsuits over the years, on a variety of issues.
Apple just plays the public perception card of being "security conscious"; it doesn't mean they are any better than anyone else at actually implementing and enforcing security and quality software.
Thank you for drinking Apple's kool-aid and paying your tithe for choosing an iThing instead of the cheaper and equally invasive eThing from an alternate vendor.
They all reap you as their data feed. All of them. No exceptions. YOU are both market and product.
Like politicians, they will say anything to get you to steer your votes/dollars in their direction. Don't mistake "The Message" for reality.
-
-
Tuesday 18th January 2022 11:16 GMT Charlie Clark
Re: Whatever
From a personal perspective I'd say they're as bad as each other. Yes, Google's business is the mining of personal information for advertising, but when it comes to security it has, at least among tech companies, an enviable track record of identifying and fixing bugs.
As Apple moves more and more into the services business, it is going to be doing similar things with personal data for Apple Music and Apple TV. And, when it comes to patching software bugs, it has a dismal record, despite the solid underpinnings of MacOS. This is further not helped by the apparent need to fiddle with much of the open source software it makes use of: eg. when openssl bugs are discovered you normally need to wait for an OS update from Apple.
-
-
Tuesday 18th January 2022 11:09 GMT Anonymous Coward
Re: Whatever
> Apple just plays the public perception card of being "security conscious"; it doesn't mean they are any better than anyone else at actually implementing and enforcing security and quality software.
They do *sort* of earn it in one area of the Mobile space, but only because the competition is so pathetic.
If you get an iPhone, it'll be getting security updates for much, much longer than the majority of the Android alternatives (which might mean you can hate your dumbed down phone for longer).
-
-
-
-
Monday 17th January 2022 23:54 GMT DJV
Re: Have you heard of the XMas break?
Yeah, Auntie Mabel had one of those after she'd been at the sherry originally destined for the Christmas pudding and singing "I Won't Decorate Your Christmas Tree This Year" at the top of the stairs...
...just before she was suddenly at the bottom of those same stairs.
-
Tuesday 18th January 2022 00:17 GMT skeptical i
Re: Have you heard of the XMas break?
On the off-chance that DJV was not joking, I hope Aunt Mabel is OK. :^\
So, I suppose using the "clear history and website data" option in iOS settings for Safari between browsings (visit website, close tab, "clear all", open new tab, visit another site, close tab, "clear all", lather rinse repeat) will not help? (Because that'd be too easy, right?)
-
Tuesday 18th January 2022 04:48 GMT Anonymous Coward
Re: Have you heard of the XMas break?
Well, except for those of us who have accounts and do work over the internet, including for clients, who will be none too impressed to find out the golden keys to their corporate intranets has been exposed by every iThing using user in their employee roster...
-
-
-
-
-
-
Wednesday 19th January 2022 00:49 GMT runt row raggy
Re: "if one tab was used to access a user's bank and the other a malicious website"
can you clarify "who would be dumb enough" to what? open a bank site in a tab? the malicious site could be one that you normally trust, but has been tricked into doing something it shouldn't. sites that allow you to read your mail come to mind here.
also, relying on policy to keep you safe. yes. it always comes down to that. there's a policy about which side of the road to drive on. this keeps you safe. there's a policy to not double-dip your chip. this keeps you safe.
-
-
Wednesday 19th January 2022 11:43 GMT donnieMurdo
Private browsing mitigates this somewhat...
Safari does private browsing a little differently than other browsers, in that each tab is its own session (FF/Chrome all seem to share the same 'private' session between tabs). The above demo would only work if you opened up gmail, signed in then went to that URL. But then again nobody except me seems to use private browsing day to day.