Skip to main content

Apple’s iOS 15.3 update fixes critical Safari security bug

Apple has just released iOS 15.3, and while this latest update doesn’t add any significant new features, it addresses at least one critical security flaw. Earlier this month, software engineer Martin Bajanik of FingerprintJS found a serious vulnerability in Safari 15, the browser included in iOS 15 and iPadOS 15, that could leak browsing history information and even credentials from online services that a person is using, such as Google, YouTube, Amazon, and sites using WordPress.

As Bajanik explains, many websites use an API called IndexedDB to request that browsers like Safari and Chrome store information in a local database on a person’s device. Under normal circumstances, a given website should only be able to request information about the databases that it created — any others should be invisible to it.

An iPad screen showing website data in Safari settings.
Jesse Hollington / Digital Trends

Unfortunately, it turns out the Safari browser in iOS 15 wasn’t exactly respecting those rules. Although it wasn’t giving out any information stored in those databases, it was happily providing a full list of all the local databases to any website that asked.

Recommended Videos

While this may sound relatively innocuous on the surface, the problem is that many services use sensitive information for these database names. For instance, Google uses an internal unique and user-specific identifier that allows anybody who is logged into their Google Account to be “uniquely and precisely identified.” Bajanaik notes that this Google User ID can even be fed into Google APIs to pull up public information on the account owner, such as their name and profile picture.

Please enable Javascript to view this content

To make matters worse, not only does this allow a malicious website to learn a user’s identity, but it can also be used to get a list of multiple accounts owned by the same person. This could create a serious breach of privacy in situations where someone is using an anonymous account that’s not tied to their personal identity in any way. A hacker exploiting this flaw could make a connection by discovering that the same individual had information for both accounts stored in their browser.

The flaw also appears to be easy to exploit. Bajanaik explains that “a tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real time,” allowing hackers to collect data on targets simply by planting malicious code in a seemingly legitimate website.

Security fixes in iOS 15.3

Compared with the exciting features that arrived in the last couple major iOS releases, this week’s iOS 15.3 update may appear pretty boring, but it shouldn’t be taken lightly. In fact, it’s even more important to update to iOS 15.3 as soon as possible.

Not only does iOS 15.3 fix this particularly nasty security hole in Safari, but according to Apple’s release notes, there are nine other important security fixes, including one that Apple notes “may have been actively exploited.”

Other security vulnerabilities resolved in iOS 15.3 include an iCloud bug that could allow applications to bypass security and access a user’s files, plus several other scenarios where malicious applications could find ways to gain root privileges or arbitrarily execute code to do things they shouldn’t be permitted to do.

Jesse Hollington
Jesse has been a Mobile Writer for Digital Trends since 2021 and a technology enthusiast for his entire life — he was…
I finally have RCS on my iPhone, and it’s one of my favorite iOS 18 features
An iPhone 16 Pro showing RCS messaging.

Apple’s Messages app has certainly come a long way. When the first iPhone launched in 2007, it could only send SMS -- there weren't even picture messages. Then it got MMS protocol support in iPhone OS 3.0 with the iPhone 3GS. With iPhone OS 5.0, Apple implemented its own iMessage chat protocol, making it easy for Apple users to communicate with other Apple device users.

However, when it came to messaging Android users, Apple dragged its feet for the longest time, sticking with SMS and MMS, which aren’t encrypted and don't offer full-quality photo and video sending. It also sparked the whole blue bubble versus green bubble war.

Read more
If your iPhone can handle iOS 18.2, it can probably handle iOS 19
An iPhone 15 Pro Max running iOS 18, showing its home screen.

The last few iPhone updates have brought a lot of changes with them. Just take a look at iOS 18.2: It introduced a ton of AI-powered features that had never before been available. If you have an older phone, it's easy to worry that its hardware won't be up to snuff for the next round of updates. For now, you can breathe easy: If your iPhone can handle iOS 18, then it should also work with iOS 19, according to a new leak.

The news comes from the French site iPhoneSoft. Although Apple guarantees five years of support for its devices, some devices get supported for longer periods of time, but this tip suggests that any phone currently capable of downloading and installing iOS 18 will also work with iOS 19, although some features could be limited.

Read more
The next iOS 18 update is on its way. Here’s what we know
The iPhone 16 sitting on top of orange mums.

When iOS 18.2 released just over a week ago, it unlocked a lot of long-awaited features like Image Playground, Visual Intelligence, and improvements to writing tools. Now, it seems like another update could be just around the corner: version 18.2.1.

MacRumors found evidence of the update in their analytic logs, a source that has supposedly revealed quite a few iOS versions before release. Given that this is a minor update, it isn't likely to come with new features or anything groundbreaking. Instead, it will most likely be targeted at bug fixes, although no specific problems have been named. You should expect this update to drop either in late December or early January, but a year-end release is more likely.

Read more