Apple is fixing a Safari bug that lets websites access your browsing history and Google ID

Apple is developing a fix for a recently discovered Safari tracking bug that would let any website track your browsing history and access your Google ID for tracking purposes.

Illustration showing an Apple Safari logo set against a blue gradient background
  • Apple’s implementation of IndexedDB APIs in Safari comes with a bug
  • Websites may access your browsing history and your Google ID
  • Apple has confirmed it’s now working on a fix for the bug

A new Safari tracking bug compromises your browsing history

On Sunday, January 16, 2022, browser fingerprinting service FingerprintJS reported this bug which affects Safari on iOS 15, iPadOS 15 and macOS Monterey. Thankfully, Apple has acted swiftly and is already preparing a fix for this latest Safari tracking bug, according to a WebKit commit on GitHub spotted by MacRumors.

The culprit: Apple’s implementation of IndexedDB, a browser API that provides client-side storage for storing data in a database. IndexedDB API protects one website from accessing the database generated by another website, and this is by design. A bug in the Safari browser, however, permits a website to access data that it didn’t generate, like your browsing history. Read: New to Mac? How to customize Safari settings

From a post on the FingerprintJS blog:

Note that these leaks do not require any specific user action. A tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real-time. Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.

To prevent conflicts, IndexedDB generates unique database names that in some cases may include identifiers unique to the user. Certain websites use a user’s Google ID in their database name, which could be leveraged to reveal your identity.

FingerprintJD produced a special webpage at that shows this in action.

How to protect yourself from Safari’s IndexedDB bug

While Apple is working to develop a fix for this bug, there are some things you can do to minimize the impact of this issue. You could disable Javascript in the Safari settings, and then enable it for specific websites. If that sounds like too much work, use Safari’s Incognito window to browse privately to limit the issue to a single tab.

As the last resort, temporarily switch to another browser until a fix is available.