Skip to main content

Apple’s iOS 15.3 update fixes critical Safari security bug

Apple has just released iOS 15.3, and while this latest update doesn’t add any significant new features, it addresses at least one critical security flaw. Earlier this month, software engineer Martin Bajanik of FingerprintJS found a serious vulnerability in Safari 15, the browser included in iOS 15 and iPadOS 15, that could leak browsing history information and even credentials from online services that a person is using, such as Google, YouTube, Amazon, and sites using WordPress.

As Bajanik explains, many websites use an API called IndexedDB to request that browsers like Safari and Chrome store information in a local database on a person’s device. Under normal circumstances, a given website should only be able to request information about the databases that it created — any others should be invisible to it.

Related Videos
An iPad screen showing website data in Safari settings.
Jesse Hollington / Digital Trends

Unfortunately, it turns out the Safari browser in iOS 15 wasn’t exactly respecting those rules. Although it wasn’t giving out any information stored in those databases, it was happily providing a full list of all the local databases to any website that asked.

While this may sound relatively innocuous on the surface, the problem is that many services use sensitive information for these database names. For instance, Google uses an internal unique and user-specific identifier that allows anybody who is logged into their Google Account to be “uniquely and precisely identified.” Bajanaik notes that this Google User ID can even be fed into Google APIs to pull up public information on the account owner, such as their name and profile picture.

To make matters worse, not only does this allow a malicious website to learn a user’s identity, but it can also be used to get a list of multiple accounts owned by the same person. This could create a serious breach of privacy in situations where someone is using an anonymous account that’s not tied to their personal identity in any way. A hacker exploiting this flaw could make a connection by discovering that the same individual had information for both accounts stored in their browser.

The flaw also appears to be easy to exploit. Bajanaik explains that “a tab or window that runs in the background and continually queries the IndexedDB API for available databases, can learn what other websites a user visits in real time,” allowing hackers to collect data on targets simply by planting malicious code in a seemingly legitimate website.

Security fixes in iOS 15.3

Compared with the exciting features that arrived in the last couple major iOS releases, this week’s iOS 15.3 update may appear pretty boring, but it shouldn’t be taken lightly. In fact, it’s even more important to update to iOS 15.3 as soon as possible.

Not only does iOS 15.3 fix this particularly nasty security hole in Safari, but according to Apple’s release notes, there are nine other important security fixes, including one that Apple notes “may have been actively exploited.”

Other security vulnerabilities resolved in iOS 15.3 include an iCloud bug that could allow applications to bypass security and access a user’s files, plus several other scenarios where malicious applications could find ways to gain root privileges or arbitrarily execute code to do things they shouldn’t be permitted to do.

Editors' Recommendations

The Pixel 7’s best camera trick is coming to the iPhone and all Android phones
Erasing items in Magic Eraser.

The Google Pixel series of phones, specifically the Pixel 6 and Pixel 7, have an exclusive feature called Magic Eraser. With Magic Eraser, you can get rid of unwanted objects in a photo, such as people in the background or things like power lines. As of today, Magic Eraser is becoming available to all Android phones and iPhone users through Google One.

Magic Eraser debuted on the Pixel 6 lineup, which includes the Pixel 6, Pixel 6 Pro, and the more affordable Pixel 6a, which is still available to purchase (the Pixel 6 and 6 Pro have been discontinued). If you have a Pixel 7 or Pixel 7 Pro, you also have the Magic Eraser feature. One of the reasons I had always wanted a Pixel device is because of Magic Eraser, and it is something that I desperately wished Apple would implement.

Read more
Microsoft is already expanding Bing Chat to Skype and phones
Microsoft Edge browser showing Bing Chat on an iPhone.

Bing Chat, the AI chatbot powered by ChatGPT, is one of Microsoft's most exciting products, and the Windows developer is wasting no time in incorporating artificial intelligence into more of its products, including three of its mobile apps: Skype, Bing mobile, and Edge.

Microsoft announced the news in a blog post this morning. The Edge browser and the Bing app are obvious choices for adding AI-enhanced search, and early access users will begin seeing Bing Chat in those apps soon. We'd seen hints about Bing Chat on mobile, just two days ago, so Microsoft is moving quickly.

Read more
SMS 2FA is insecure and bad — use these 5 great authenticator apps instead
Twilio Authy 2FA app running on an iPhone.

You probably have what seems like a million accounts across the internet these days, right? At least, that’s what it feels like for me — with all these social media, email, and banking accounts, plus digital storefronts, and more. Regardless of where I access these from, whether it’s my iPhone 14 Pro or my Samsung Galaxy S23 Plus, or even my Mac, the first step is to make sure that I have a strong and secure (preferably randomly generated) password. But for extra peace of mind, everyone needs to look into two-factor authentication (2FA) to really keep people out.

Recently, Twitter has made the news yet again because it’s forcing everyone who uses SMS 2FA to either remove it from their account or subscribe to Twitter Blue to keep it. SMS 2FA is when you get a code sent as an SMS to your phone, and while it's convenient, this is the least secure 2FA method available. SMS 2FA is susceptible to numerous vulnerabilities, including SIM swapping (where someone takes over a mobile phone number by convincing a carrier to link that number with the SIM card), SIM duplication attacks, and more.

Read more