Google researchers have discovered “multiple security flaws” in Apple’s Safari browser, a new report from the Financial TImes says. The flaws were found in Safari’s Intelligent Tracking Prevention feature, which is designed to protect users from cross-site tracking and other online privacy concerns, and have since been fixed.
The report from the Financial Times cites a soon-to-be-released paper in which researchers from Google’s cloud team explain the vulnerabilities. According to the report, Google researchers have identified five different attacks that could result from the security flaws in Safari.
The Intelligent Tracking Prevention left personal data exposed because of how it “implicitly stores information about the websites visited by the users,” Google researchers say. Ironically, Google researchers also say that a security flaw that allowed hackers to “create a persistent fingerprint that will follow the user around the web.” Other flaws “were able to reveal what individual users were searching for on search engine pages.”
In essence, security flaws in Apple’s Intelligent Tracking Prevention platform made users vulnerable to tracking similar to what the feature is designed to prevent.
“You would not expect privacy-enhancing technologies to introduce privacy risks,” said Lukasz Olejnik, an independent security researcher who has seen the paper. “If exploited or used, (these vulnerabilities) would allow unsanctioned and uncontrollable user tracking.
Google made Apple aware of these vulnerabilities in August of last year, and the Financial Times says Apple rolled out a fix to Safari’s Intelligent Tracking Prevention feature in December. Apple referenced the fixes in a blog post in December, thanking Google for the help.
We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection.
With that being said, Google Chrome Engineering Director Justin Schuh said on Twitter this morning that the actual vulnerabilities have not been fixed, despite Apple’s claim. The full paper is now available to read here.
It has not. I explained elsewhere that Apple's blog post was confusing to the team that provided the report. The post was made during a disclosure extension Apple had requested, but didn't disclose the vulnerabilities, and the changes mentioned didn't fix the reported issues.
— Justin Schuh 🤬 (@justinschuh) January 22, 2020
FTC: We use income earning auto affiliate links. More.