Apple releases iOS 15.3 and iPadOS 15.3 to fix widely exploited Safari bug that leaked personal data

Apple has released its latest software update for mobile devices in the form of iOS 15.3 and iPadOS 15.3. The updates should be already available for devices still supported by Apple. The latest update fixes an actively exploited memory corruption bug.

Another bug, in the Safari browser’s WebKit implementation, allowed any website using a specific JavaScript application programming interface (API) to access the names of databases generated by other websites during the same browsing session. This bug enabled a carefully formatted malicious site to spy on other sites while Safari was open. Because some websites use user-specific identifiers in their database names, this could lead to personal information being leaked.

The problem is not limited to just the Safari browser. Since Apple forces third-party Internet browsers on iPadOS and iOS to use its rendering engine, the bug affects Chrome and other browsers as well.

The Safari 15 bug was first identified by browser fingerprinting and fraud detection service FingerprintJS. The vulnerability stemmed from Apple’s implementation of IndexedDB, an API that stores data on the browser. The bug bypassed the Safari 15 API’s same-origin policy that restricts one origin from interacting with data collected on other origins, FingerprintJS had said at the time.

The fraud detection service had also created a proof-of-concept demo for consumers using Safari 15.

While the iOS 15.3 and iPadOS 15.3 updates do not introduce any new features, it fixes several security issues that could possibly lead to private information becoming public.

The iOS 15.3 and iPadOS 15.3 updates come after the Cupertino-based tech giant reportedly ended support for the iOS 14. Those still on iOS 14 were not pushed to update to the iOS 15 until the recent release of the iOS 15.2.1. Now, users not on the current version of iOS on a supported device are being prompted to update to iOS 15.3.