Security News

Apple releases Safari 15.6.1 to fix zero-day bug used in attacks
2022-08-18 19:49

Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs. "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," warns Apple in a security bulletin released today.

How refactoring code in Safari's WebKit resurrected 'zombie' security bug
2022-06-21 08:31

A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago - a perfect example of a "Zombie" vulnerability. That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices - or a bug closely related to a patched one.

Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild
2022-06-20 23:18

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero. In early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it "May have been actively exploited."

Apple fixes Safari data leak (and patches a zero-day!) – update now
2022-01-27 21:09

Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on. That vulnerability, now known as CVE-2022-22594, showed up in Safari because of a bug in WebKit, the "Browser rendering engine", as these things are generally known, on which the Safari app is based.

Infosec chap: I found a way to hijack your web accounts, turn on your webcam from Safari – and Apple gave me $100k
2022-01-26 08:32

A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts - and even their webcams. Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

Apple preps fix for Safari's web-history-leaking IndexedDB privacy bug
2022-01-21 22:56

Apple is preparing to repair a bug in its WebKit browser engineer that has been leaking data from its Safari 15 browser at least since the problem was reported last November. Updates made available on Thursday to Apple developers - iOS 15.3 RC and macOS 12.2 RC - reportedly fix the flaw, an improper implementation of IndexedDB API that allows websites to track users and potentially identify them.

Pervasive Apple Safari Bug Exposes Web-Browsing Data, Google IDs
2022-01-20 16:50

Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server. Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.

Serious Security: Apple Safari leaks private data via database API – what you need to know
2022-01-18 19:23

Researchers at browser identification company FingerprintJS recently found and disclosed a fascinating data leakage bug in Apple's web browser software. At first telling, the bug sounds both undramatic and unimportant: although it allows private data to leak between separate browser tabs that contain content from unrelated websites, the amount of data that leaks is minuscule.

Bug in WebKit's IndexedDB implementation makes Safari 15 leak Google account info... and more
2022-01-17 18:31

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers. The Safari bug can then expose publicly available information from, say, a Google account.

Safari bug leaks your Google account info, browsing history
2022-01-17 13:47

There's a problem with the implementation of the IndexedDB API in Safari's WebKit engine, which could result in leaking browsing activity in real-time and even user identities to anyone exploiting this flaw. IndexedDB is a widely used browser API that is a versatile client-side storage system with no capacity limits.