back to article Apple preps fix for Safari's web-history-leaking IndexedDB privacy bug

Apple is preparing to repair a bug in its WebKit browser engine that has been leaking data from its Safari 15 browser at least since the problem was reported last November. Updates made available on Thursday to Apple developers – iOS 15.3 RC and macOS 12.2 RC – reportedly fix the flaw, an improper implementation of IndexedDB …

  1. nijam Silver badge

    > Apple engineers began working to remediate the IndexDB bug on Sunday, January 16, two days after Fingerprint.js publicly disclosed the issue.

    So, not when Apple were notified at the end of November? Oh well, why would they bother?

    1. John Brown (no body) Silver badge

      On the other hand, this bug wouldn't even be a problem if the sites using it didn't reveal personal data in the NAME of the database. How hard would it be to just use a randomly constructed name? This as bad as passing personal data in URI GET requests.

      1. John Brown (no body) Silver badge
        Facepalm

        "1 thumb down"

        Thanks for the clear explanation of why I am wrong.

        1. Charlie Clark Silver badge
          Thumb Down

          Have another one for whining…

      2. Charlie Clark Silver badge

        The real problem is the violation of the Same Original Policy. IDs become a bigger problem as a result of this but wouldn't matter if proper encapsulation was used.

        1. Anonymous Coward
          Anonymous Coward

          But it is same origin when the DB is in _ALL_ origins :-/. The voices of concern are right, this is more serious than a SOP/CORS violation.

    2. DS999 Silver badge

      iOS 15.2 was already in beta in October so the fix couldn't have made the cut there, but it should have been included in iOS 15.2.1.

      1. Anonymous Coward
        Anonymous Coward

        When you have a showstopper bug, you fix it, regardless of whether you're in "beta" already or not. That is the whole point of alphas and betas - to find bugs!!!

        Or you should be sued by your user community for failing to do so.

    3. JimboSmith Silver badge

      When I found out that everything was running on Apple WebKit I said to a tech department manager surely that’s quite risky. What if someone discovers a serious CVE and we’re then stuck using it under whatever badge until Apple get off their butts and do something about it. Manager tells me that it isn’t my problem so don’t worry about it.

      1. DS999 Silver badge

        And how is that different than using Edge or Chrome or Firefox, unless you believe you can go the source and recompile Chromium or Firefox yourself after you've fixed it?

        You still have to wait for someone to fix stuff. You think those have never had any bugs laying around for a few months before they got fixed?

        No matter what OS you use, what browser you use, you are vulnerable to dozens if not hundreds of severe unfixed bugs. Most of them have never been discovered, but some have are in sitting in the vault at the NSA, GCHQ, FSB, MSS, Mossad, etc. or worse has been sold on the dark web to malware/ransomware authors.

        1. teknopaul

          With chrome and Fire Fox bugs are fixed when the devs are told about the bug.

          With Safari bugs are fixed when Twitter is told, it's as if the crims have access to free zero days.

          Big difference.

        2. Charlie Clark Silver badge

          The main difference is the release schedule. Firefox and Chrome have predictable release dates and established procedures for bug fixes. They also have long term releases to make life easier for corporates. Year on and Apple still does not have predictable release dates and a history of bug fixes breaking things. Could the two be connected?

          1. Anonymous Coward
            Anonymous Coward

            "Could the two be connected?"

            ( MONEY ) ? apple_interest : user_interest;

          2. Anonymous Coward
            Anonymous Coward

            Yes, Apple's incompetence is to blame, despite the rah-rahing fanbois and their billions in the bank collected from people who don't know any better.

        3. JimboSmith Silver badge

          And how is that different than using Edge or Chrome or Firefox, unless you believe you can go the source and recompile Chromium or Firefox yourself after you've fixed it?

          You still have to wait for someone to fix stuff. You think those have never had any bugs laying around for a few months before they got fixed?

          No matter what OS you use, what browser you use, you are vulnerable to dozens if not hundreds of severe unfixed bugs. Most of them have never been discovered, but some have are in sitting in the vault at the NSA, GCHQ, FSB, MSS, Mossad, etc. or worse has been sold on the dark web to malware/ransomware authors.

          Yes bugs exist and will do on all browser engines on most OSes I would expect. The difference on IOS is all the browsers on IOS are forced to use the same WebKit browser engine, that’s whether it’s Safari, Firefox, Opera, Chrome etc.

          So that means it makes no difference whatever browser you choose to use on IOS you’re exposed to the same bugs and vulnerabilities. You can’t avoid a serious bug/vulnerability in Safari on IOS by just using Chrome or Firefox instead.

          On Android/Mac OS/Windows/Linux there is no restriction and browsers can use any engine, so Gecko, Blink etc.

  2. Anonymous Coward
    Anonymous Coward

    I'd hardly call getting off your butt TWO DAYS after the public disclosure to be "proactive response". It may be an improvement on Apple's past responsiveness, but it sure doesn't pass the smell test for any other company.

  3. Anonymous Coward
    Anonymous Coward

    Don’t want to upgrade

    I don’t want to upgrade from 15.1 due to the csam stuff.

    This bug has huge privacy issues and so does the csam stuff.

    Rick, meet hard place.

    1. Mishak Silver badge

      csam

      I think you should be ok (for now), as I think it's been delayed?

  4. FlamingDeath Silver badge

    FAPPLE

    title

    1. This post has been deleted by its author

  5. FlamingDeath Silver badge

    Documentary

    "I Like Money"

    - Frito

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like