Earlier this week, a bug was discovered in Safari that allowed certain pages to access recent browsing information. An error that Apple is already working on and for which it has already offered a solution that we should see as soon as possible.

An error that affects 3% of the most visited domains

The situation is: Due to an error in the JavaScript API implementation, the call to IndexedDB does not meet the “Same Origin” requirement. This, without going into more technical details, means that access to the database used by some websites is not limited to the fact that each website can access the information it has stored there, but that other websites may view information stored by third party parties.

Because of this, as can be seen in this demo of the concept, a website can know information about recent browsing. From which sites? Among those who use IndexedDB to store information. Google, being the most serious example, stores the user ID in this database, so that a malicious website can retrieve this ID from its visitors.

As we can see in the WebKit GitHub project, Apple has already created a commit of the solution. A solution that should arrive with an update of the various operating systems and with a new version of Safari. We do not know the exact date of his arrival, but we risk signing that it must be soon.

It should be remembered that not all web pages interact with the IndexedDB database. Of the top 1,000 domains visited by Alexa, only 30 do so. It’s only 3%. Still, that’s certainly not how Safari normally works, so for now we’ll keep an eye out for an update.

Picture | Philippe Katzenberger