macOS Monterey 12.2 and iOS 15.3 Release Candidates Fix Safari Bug That Leaks Browsing Activity
The macOS Monterey 12.2 and iOS 15.3 release candidates that came out today appear to address a Safari bug that could cause your recent browsing history and details about your identity to be leaked to malicious entities.
As shared last week by browser fingerprinting service FingerprintJS, there is an issue with the WebKit implementation of the IndexedDB JavaScript API. Any website that uses IndexedDB can access the names of IndexedDB databases generated by other websites during the same browsing session.
The bug permits a website to spy on other websites that the user visits while Safari is open, and because some websites use user-specific identifiers in their IndexedDB database names, personal information can be gleaned about the user and their browsing habits.
Browsers that use Apple's WebKit engine are impacted, and that includes Safari 15 for Mac and Safari for iOS 15 and iPadOS 15. Some third-party browsers like Chrome are also affected on iOS and iPadOS 15, but the macOS Monterey 12.2, iOS 15.3, and iPadOS 15.3 updates fix the vulnerability.
FingerprintJS constructed a demo website to let users check to see whether they're impacted, and as 9to5Mac notes, after updating to the new software, the website detects no security holes.
The website is designed to tell users details about their Google accounts. On iOS 15.2.1 and macOS Monterey 12.1, we tested and the demo website was able to detect our Google account. After updating to the macOS Monterey 12.2 RC and the iOS 15.3 RC, the demo website no longer detects any data.
Apple earlier this week prepared a fix for the bug and uploaded it to the WebKit page on GitHub, so we knew that Apple was working to address the vulnerability. With the macOS Monterey 12.2 and iOS 15.3 release candidates now available, we could see these updates be made available to the public as soon as next week.
Popular Stories
The first iOS 17.3 beta rolling out to developers today includes a new "Stolen Device Protection" feature that is designed to add an additional layer of security in the event someone has stolen your iPhone and also obtained the device's passcode. Earlier this year, The Wall Street Journal's Joanna Stern and Nicole Nguyen reported about instances of thieves spying on a victim's iPhone...
Apple has made available for download its major end-of-year iPhone software update, iOS 17.2, featuring a large number of features and changes that users have been anticipating for quite a while. Below, we've listed 33 new things that your iPhone can do once you've installed the update. Check Settings ➝ General ➝ Software Update on your device to get downloading. 1. Help You Keep a Daily ...
With the launch of the iPhone 15, Apple introduced design changes like a curved frame and a frosted glass back. Information acquired by MacRumors suggests that Apple's next-generation iPhone 16 will build on these updates with modifications to the buttons and the camera layout. We have details on early pre-production designs for the iPhone 16, including a look at the variants and hardware...
Earlier this year, General Motors (GM) announced plans to phase out Apple's CarPlay and Android Auto in its future electric vehicles, with the company instead relying on an infotainment system co-developed with Google. This has not been a popular decision with iPhone users, and today, GM provided some additional insight into the decision in a discussion with MotorTrend. According to Tim...
While the iPhone 16 Pro and iPhone 16 Pro Max are still over nine months away from launching, there are already several rumors about the devices. Below, we have recapped new features and changes expected for the devices so far. These are some of the key changes rumored for the iPhone 16 Pro models as of December 2023:Larger displays: The iPhone 16 Pro and iPhone 16 Pro Max will be equipped...
Apple today released tvOS 17.2, the second major update to the tvOS 17 operating system that came out in September 2023. tvOS 17.2 comes more than a month after tvOS 17.1, an update that expanded the availability of the Enhanced Dialogue feature. tvOS 17.2 can be downloaded using the Settings app on the Apple TV. Go to System > Software Update to get the new software. Apple TV...
When Apple releases new software, iOS updates tend to get most of the attention, and there are sometimes useful new features in Mac updates that go under the radar. That's the case with macOS Sonoma 14.2. It doesn't have flashy features like the Journal app that came in iOS 17.2, but there are a number of useful improvements that make it worth installing. Subscribe to the MacRumors YouTube ...
Top Rated Comments
Addressing the issue nearly two months after it having been reported is not timely, especially considering this patch still hasn't reach the public. If the update comes out in one week that will have been two months since Apple first learned about it.
But is it really timely? Sure, timely since it was made public, but was it timely since they first were informed of it? I'd say no.
We know that this is a privacy breach, but still, modern OSs are fairly complex. Getting to know about it, analysis, fixing it, incorporating in all variants, QA testing, and distributing it to all end users across the globe in one time, whether it's iPhone 6s or iPhone 13 Pro Max is still within reasonable "timely" manner.
We know that they had some public pressure; that's why it's even shorter if we count days since it landed in the news.
I've been in software development for many years (I am a Head of Product at a software technology company), and patching something isn't just a 5-minute job, even if you know what the issue is and how to fix it.
A small change on an API will impact many, many areas of a product and this means thorough testing is required, and diligence of any related libraries and products.
This is hugely time-consuming and since this product impacts so many platforms, it's not just a case of patching and letting it go into the wild. Especially in this instance, a security audit would have to also be conducted to show the result works, and this would have to be verified by multiple organisations.
Then, the patch has to be tested to ensure it deploys safely and correctly over the air. That update process takes time to implement, manage and check. It then needs checking again, more testing and feedback from users (beta), and devs to ensure they are not experiencing any issues. Again, all this takes time.
I hope this provides some perspective as to how and why these fixes take a little time.
It reminds me of the days when I used to build websites for clients. Talking to an individual who has zero ideas as to the complexities of a solid product is the most infuriating and patience-testing experience as a developer.
Anyway. Two months for a fix like this on this scale is perfectly acceptable.