Skip to main content
  1. Home
  2. Mobile

Apple’s iOS 15.3 update fixes critical Safari security bug

By

Apple has just released iOS 15.3, and while this latest update doesn’t add any significant new features, it addresses at least one critical security flaw. Earlier this month, software engineer Martin Bajanik of FingerprintJS found a serious vulnerability in Safari 15, the browser included in iOS 15 and iPadOS 15, that could leak browsing history information and even credentials from online services that a person is using, such as Google, YouTube, Amazon, and sites using WordPress.

As Bajanik explains, many websites use an API called IndexedDB to request that browsers like Safari and Chrome store information in a local database on a person’s device. Under normal circumstances, a given website should only be able to request information about the databases that it created — any others should be invisible to it.

An iPad screen showing website data in Safari settings.
Jesse Hollington / Digital Trends

Unfortunately, it turns out the Safari browser in iOS 15 wasn’t exactly respecting those rules. Although it wasn’t giving out any information stored in those databases, it was happily providing a full list of all the local databases to any website that asked.

Recommended Videos

While this may sound relatively innocuous on the surface, the problem is that many services use sensitive information for these database names. For instance, Google uses an internal unique and user-specific identifier that allows anybody who is logged into their Google Account to be “uniquely and precisely identified.” Bajanaik notes that this Google User ID can even be fed into Google APIs to pull up public information on the account owner, such as their name and profile picture.

Related

To make matters worse, not only does this allow a malicious website to learn a user’s identity, but it can also be used to get a list of multiple accounts owned by the same person. This could create a serious breach of privacy in situations where someone is using an anonymous account that’s not tied to their personal identity in any way. A hacker exploiting this flaw could make a connection by discovering that the same individual had information for both accounts stored in their browser.

The flaw also appears to be easy to exploit. Bajanaik explains that “a tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real time,” allowing hackers to collect data on targets simply by planting malicious code in a seemingly legitimate website.

Security fixes in iOS 15.3

Compared with the exciting features that arrived in the last couple major iOS releases, this week’s iOS 15.3 update may appear pretty boring, but it shouldn’t be taken lightly. In fact, it’s even more important to update to iOS 15.3 as soon as possible.

Not only does iOS 15.3 fix this particularly nasty security hole in Safari, but according to Apple’s release notes, there are nine other important security fixes, including one that Apple notes “may have been actively exploited.”

Other security vulnerabilities resolved in iOS 15.3 include an iCloud bug that could allow applications to bypass security and access a user’s files, plus several other scenarios where malicious applications could find ways to gain root privileges or arbitrarily execute code to do things they shouldn’t be permitted to do.

Editors' Recommendations

Topics
Jesse Hollington
Jesse Hollington
Mobile Writer
Jesse has been a technology enthusiast for his entire life — he probably would have been born with an iPhone in his hand…
iOS 17 isn’t the iPhone update I was hoping for
iMessage stickers in iOS 17

Apple gave us a jam-packed WWDC 2023 keynote, and it was one of the most significant ones in years. After all, it introduced a brand new product category for Apple with the Vision Pro mixed reality headset. It’s basically as significant as when Steve Jobs revealed the iPhone in 2007, then the iPad in 2010, and when Tim Cook showed off the Apple Watch in 2014.

But the headset isn’t the only thing we got in the WWDC keynote. Since it’s a developer conference, it’s also about the software for all of our devices. This includes iOS 17 for the iPhone, along with iPadOS 17, watchOS 10, and macOS 14 Sonoma.

Read more
iOS 17’s coolest new feature is horrible news for Android users
iOS 17 contact posters

At the end of 2022, Google implored Apple to “get the message” and end the green-versus-blue bubble controversy by adopting RCS messaging. Apple’s response eventually came at WWDC 2023, where it introduced a new iOS 17 feature called Contact Posters, which instead of bringing everyone together, only furthers the us-versus-them split between Android and iOS.

If you thought the green/blue iMessage arguments could get fiery, there’s a lot more to come.
Blue good, green bad

Read more
Everything Apple didn’t add to iOS 17
iOS 17 logo and renders on Apple's website.

Apple’s WWDC 2023 keynote has come and gone, and with it came one of the biggest new announcements in years: Apple Vision Pro, which is Apple’s first foray into the VR/AR headset space. Of course, we also got software updates for existing products that we already have right now, including iOS 17 for the iPhone.

Before WWDC 2023 kicked off, there were a lot of rumors and speculation revolving around iOS 17 and what we would end up seeing —with the possibility of some “highly requested features from users.” Now that it’s been announced, it’s actually not as exciting as we thought, and some of the features that did get announced weren’t leaked.

Read more