Safari bug leaks user information, allowing user tracking

Safari 15 is exposing IndexedDB data to opened sites and in tabs and recently opened.

Sites cannot read contents of IndexedDB, however, names of databases are accessible to all sites. Google keeps user ID as a part of database name allowing cross-site tracking.

Use alternate browsers, until fix is released

Even Private Mode is vulnerable, no workarounds are available at the time.
iOS alternate browsers are also vulnerable, and Private Mode does not fully protect from tracking.

Users should use alternate browsers on macOS and wait for Apple's fix.

Live demo: Safari Leaks


[UPDATED] RCE 0-day exploit found in log4j

Log4j is a popular Java logging package used by many backends.

Details of the vulnerability are available here, and according to reports, also libraries or solutions using Apache log4j (we are talking about Steam, iCloud or Minecraft servers) are also vulnerable. Solutions using the Struts library are also probably vulnerable.

Affected log4j versions: 2.0 <= Apache log4j <= 2.14.1

Apple issues an apology to security researcher

As reported earlier, Apple seemed to ignore reports on zero-day vulnerabilities in iOS. Now story continues with report from Denis Tokarev. Apple contacted him and apologized for the delays in response.

"We saw your blog post regarding this issue and your other reports. We apologize for the delay in responding to you," an Apple employee wrote. "We want to let you know that we are still investigating these issues and how we can address them to protect customers. Thank you again for taking the time to report these issues to us, we appreciate your assistance. Please let us know if you have any questions."