Serious privacy bug still present in Safari since 2013

[J. J.]

As AppleInsider notes, Safari for OS X is affected by a serious privacy bug since 2013.

Basically, your computer keeps track of the pages you visit in private browsing mode. More specifically, the file ~/Library/Safari/WebpageIcons.db stores data from all the websites visited.

I think that users should be warned; this could be a very serious privacy issue. It's a shame that Apple hasn't resolved this issue yet.

 

[Zerozal]

Wow, thanks for posting this—I had no idea.

I just tested and verfiied that yes, this is in fact true—I opened a private window and navigated to a new site, then saw that indeed the site showed up in the db.

At least the list of URLs isn't in text file. You do need to have a SQL database viewer (and know how to use it) to view the URLs, but SQL db viewers are free and not difficult to figure out.

Hopefully Apple plugs this privacy hole in a future release.

 

[GGJstudios]

Simply resetting Safari clears that data. It's not a big deal. It's no different than Safari keeping your history and cache until you clear them. If you feel that strongly about it, you can simply set that file to read only and it will never record any URL data.

 

[J. J.]

Simply resetting Safari clears that data. It's not a big deal. It's no different than Safari keeping your history and cache until you clear them. If you feel that strongly about it, you can simply set that file to read only and it will never record any URL data.

The problem is that users will think that private prowsing won't leave any track unless they are aware of the bug.

 

[aquajet]

Simply resetting Safari clears that data. It's not a big deal. It's no different than Safari keeping your history and cache until you clear them. If you feel that strongly about it, you can simply set that file to read only and it will never record any URL data.

Why on earth would you think this isn't a big deal. Private browsing is supposed to mean something, and in this case it means the exact opposite of what people expect.

 

[GGJstudios]

The problem is that users will think that private prowsing won't leave any track unless they are aware of the bug.

While that's true, I would think that most people using Private Browsing would also be likely to reset Safari after a session, to be sure there's no data stored. Only if you switch from Private Browsing to normal browsing and don't clear data would this be a problem. I set that file to read-only a couple years ago, and haven't had to think about it since.

You can also delete the file and permanently disable it from being recreated by entering the following in Terminal:

defaults write com.apple.Safari WebIconDatabaseEnabled -bool NO​

 

[SlCKB0Y]

While that's true, I would think that most people using Private Browsing would also be likely to reset Safari after a session, to be sure there's no data stored.

Based on what? Why would someone go to the trouble of using Private Browsing and then reset safari as well?

 

[Dolorian]

While that's true, I would think that most people using Private Browsing would also be likely to reset Safari after a session, to be sure there's no data stored.

There is no precedent for them to go that extra step. The working assumption of the person using private browsing is that no data is stored; especially given that Safari itself tells you that it "won't remember the pages you visit, your search history, or your AutoFill information". This is a blunder on Apple's part and I really hope they fix it ASAP.