Security News

A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago - a perfect example of a "Zombie" vulnerability. That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices - or a bug closely related to a patched one.

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero. In early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it "May have been actively exploited."

Just under two weeks ago, we wrote about an Apple Safari bug that could allow rogue website operators to track you even if they gave every impression of not doing so, and even if you had strict privacy protection turned on. That vulnerability, now known as CVE-2022-22594, showed up in Safari because of a bug in WebKit, the "Browser rendering engine", as these things are generally known, on which the Safari app is based.

A security bod scored a $100,500 bug bounty from Apple after discovering a vulnerability in Safari on macOS that could have been exploited by a malicious website to potentially access victims' logged-in online accounts - and even their webcams. Ryan Pickren, last seen on The Register after scooping $75k from Cupertino's coffers for finding an earlier webcam-snooping flaw, said the universal cross-site scripting bug in Safari could have been abused by a webpage to hijack a web account the user is logged into, which would be bad. It was also possible to activate the webcam.

Apple is preparing to repair a bug in its WebKit browser engineer that has been leaking data from its Safari 15 browser at least since the problem was reported last November. Updates made available on Thursday to Apple developers - iOS 15.3 RC and macOS 12.2 RC - reportedly fix the flaw, an improper implementation of IndexedDB API that allows websites to track users and potentially identify them.

Typically, a web browser permits scripts on one web page to access data on a second web page only if both pages have the same origin/back-end server. Without this security policy in place, a snooper who manages to inject a malicious script into one website would be able to have free access to any data contained in other tabs the victim may have open in the browser, including access to online banking sessions, emails, healthcare portal data and other sensitive information.

Researchers at browser identification company FingerprintJS recently found and disclosed a fascinating data leakage bug in Apple's web browser software. At first telling, the bug sounds both undramatic and unimportant: although it allows private data to leak between separate browser tabs that contain content from unrelated websites, the amount of data that leaks is minuscule.

An improperly implemented API that stores data on browsers has caused a vulnerability in Safari 15 that leaks user internet activity and personal identifiers. The Safari bug can then expose publicly available information from, say, a Google account.

There's a problem with the implementation of the IndexedDB API in Safari's WebKit engine, which could result in leaking browsing activity in real-time and even user identities to anyone exploiting this flaw. IndexedDB is a widely used browser API that is a versatile client-side storage system with no capacity limits.

A software bug introduced in Apple Safari 15's implementation of the IndexedDB API could be abused by a malicious website to track users' online activity in the web browser and worse, even reveal their identity. That's not the case with how Safari handles the IndexedDB API in Safari across iOS, iPadOS, and macOS. "In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy," Martin Bajanik said in a write-up.