Apple has fix on the way to solve IndexedDB security crisis
Apple’s security teams sure are now actively testing a fix for the nasty and widely reported IndexedDB API security flaw that may have leaked browser history and Google ID. But the fix isn’t available yet.
iOS 15.3 and Monterey 12.2 are coming
The fix is part of the currently in testing iOS 15.3 and Monterey 12.2 release candidates. Presumably, if no problems are found in these installations we’ll see the software ship next week.
The flaw was first spotted by FingerprintJS earlier this month. It involved Indexed Database API (IndexedDB), which stores data from some websites on your device to accelerate page loading times.
A flaw in Apple’s code meant information held on your database could be extracted to get lists of where you’ve been, and to get information about your Google ID.
More confidential information was not leaked, but the data that was could then be used to seek out other information about you.
The security researchers have a page where you can see how the vulnerability works.
Don’t panic, but don’t use Safari
Not everyone is impacted. If you use Safari on iOS 15 or macOS 12.2 you are vulnerable — reassuringly, Mac, iPhone or iPad users on iOS 14 are not impacted.
So, if you are one of the many who haven’t yet updated to iOS 15, you will not be bugged by this bug.
What should you do while waiting for the software to ship?
The researchers say other browsers are not impacted by the problem. I’d recommend using the all-new and super-private DuckDuckGo browser on an iOS device or Firefox on a Mac.
[Also read: Apple kills a little iOS freedom, says it was temporary]
Apple hasn’t said when it will ship the patches. We also don’t think Universal Control will make its appearance in these releases. The feature isn’t now anticipated until spring, potentially at around the same time as Apple introduces the 5G iPhone SE 3 and new iPad Air.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.