Skip to main content

Apple’s iOS 15.3 update fixes critical Safari security bug

Apple has just released iOS 15.3, and while this latest update doesn’t add any significant new features, it addresses at least one critical security flaw. Earlier this month, software engineer Martin Bajanik of FingerprintJS found a serious vulnerability in Safari 15, the browser included in iOS 15 and iPadOS 15, that could leak browsing history information and even credentials from online services that a person is using, such as Google, YouTube, Amazon, and sites using WordPress.

As Bajanik explains, many websites use an API called IndexedDB to request that browsers like Safari and Chrome store information in a local database on a person’s device. Under normal circumstances, a given website should only be able to request information about the databases that it created — any others should be invisible to it.

An iPad screen showing website data in Safari settings.
Jesse Hollington / Digital Trends

Unfortunately, it turns out the Safari browser in iOS 15 wasn’t exactly respecting those rules. Although it wasn’t giving out any information stored in those databases, it was happily providing a full list of all the local databases to any website that asked.

While this may sound relatively innocuous on the surface, the problem is that many services use sensitive information for these database names. For instance, Google uses an internal unique and user-specific identifier that allows anybody who is logged into their Google Account to be “uniquely and precisely identified.” Bajanaik notes that this Google User ID can even be fed into Google APIs to pull up public information on the account owner, such as their name and profile picture.

To make matters worse, not only does this allow a malicious website to learn a user’s identity, but it can also be used to get a list of multiple accounts owned by the same person. This could create a serious breach of privacy in situations where someone is using an anonymous account that’s not tied to their personal identity in any way. A hacker exploiting this flaw could make a connection by discovering that the same individual had information for both accounts stored in their browser.

The flaw also appears to be easy to exploit. Bajanaik explains that “a tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real time,” allowing hackers to collect data on targets simply by planting malicious code in a seemingly legitimate website.

Security fixes in iOS 15.3

Compared with the exciting features that arrived in the last couple major iOS releases, this week’s iOS 15.3 update may appear pretty boring, but it shouldn’t be taken lightly. In fact, it’s even more important to update to iOS 15.3 as soon as possible.

Not only does iOS 15.3 fix this particularly nasty security hole in Safari, but according to Apple’s release notes, there are nine other important security fixes, including one that Apple notes “may have been actively exploited.”

Other security vulnerabilities resolved in iOS 15.3 include an iCloud bug that could allow applications to bypass security and access a user’s files, plus several other scenarios where malicious applications could find ways to gain root privileges or arbitrarily execute code to do things they shouldn’t be permitted to do.

Editors' Recommendations

Jesse Hollington
Jesse has been a technology enthusiast for his entire life — he probably would have been born with an iPhone in his hand…
This one thing Apple didn’t fix with the iPhone 15 Pro has me struggling to upgrade
List of iPhone 15 Pro features at the September 2023 Apple Event.

Apple laid out its pitch for the new iPhone 15 and iPhone 15 Pro in its usual slick, perfectly manicured fashion. It's easy to get to the end and think, "wow, they thought of everything this year!" ... but with just a couple minutes of reflection you start to realize what they tactfully chose to omit. This year, disappointingly, that was battery life.

In its full 85-minute presentation, Apple didn't boast about the battery life on any of the four iPhones it introduced, even the big-screened iPhone 15 Plus and iPhone 15 Pro Max. Just to double-check, I went over to Apple's comparison tool to look at the numbers:

Read more
Apple just announced the iPhone 15 Pro. Was it worth the wait?
Side rail of iPhone 15 Pro.

It's the dawn of a new era for Apple smartphones, and heralding the change are Apple's latest flagships, the iPhone 15 Pro and its 15 Pro Max variant. These two phones get a blazing-fast processor, a switch to more premium materials, and — most importantly— a USB-C port instead of the usual Lightning connector. The premium phones were updated alongside the standard iPhone 15 and iPhone 15 Max, Apple Watch Series 9, and Apple Watch Ultra 2.

It's disappointing to see that Apple's September 2023 event didn't bring a major iPhone redesign, but this time it appears that Apple wants to focus more on internal upgrades than aesthetics.
Titanium is here, and it's beautiful
Color options for iPhone 15 Pro series Apple

Read more
How to watch Apple’s iPhone 15 event today: 5 easy ways
A screenshot of Apple event links from the Apple TV app on an iPhone

Apple's next press event is set to kick off today, Tuesday, September 12, beginning at 10:00 a.m. PT / 1:00 p.m. ET. The uniquely named "Wonderlust" event will almost certainly introduce the world to the iPhone 15 series and next-generation Apple Watches — including the Apple Watch Series 9 and Apple Watch Ultra 2. We could also see USB-C finally arriving on the Apple AirPods Pro.

Like last year's event, the iPhone 15 event will be streamed across various platforms, including Apple's website, on iPhone/iPad and Apple TV, X (formerly known as Twitter), and YouTube. Here's a look at how to stream the highly anticipated event as it happens later today.
How to watch the iPhone 15 event on your iPhone or iPad

Read more