Google researchers have discovered “multiple security flaws” in Apple’s Safari browser, a new report from the Financial TImes says. The flaws were found in Safari’s Intelligent Tracking Prevention feature, which is designed to protect users from cross-site tracking and other online privacy concerns, and have since been fixed.

The report from the Financial Times cites a soon-to-be-released paper in which researchers from Google’s cloud team explain the vulnerabilities. According to the report, Google researchers have identified five different attacks that could result from the security flaws in Safari.

The Intelligent Tracking Prevention left personal data exposed because of how it “implicitly stores information about the websites visited by the users,” Google researchers say. Ironically, Google researchers also say that a security flaw that allowed hackers to “create a persistent fingerprint that will follow the user around the web.” Other flaws “were able to reveal what individual users were searching for on search engine pages.”

In essence, security flaws in Apple’s Intelligent Tracking Prevention platform made users vulnerable to tracking similar to what the feature is designed to prevent.

“You would not expect privacy-enhancing technologies to introduce privacy risks,” said Lukasz Olejnik, an independent security researcher who has seen the paper. “If exploited or used, (these vulnerabilities) would allow unsanctioned and uncontrollable user tracking.

Google made Apple aware of these vulnerabilities in August of last year, and the Financial Times says Apple rolled out a fix to Safari’s Intelligent Tracking Prevention feature in December. Apple referenced the fixes in a blog post in December, thanking Google for the help.

We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection.

With that being said, Google Chrome Engineering Director Justin Schuh said on Twitter this morning that the actual vulnerabilities have not been fixed, despite Apple’s claim. The full paper is now available to read here.

FTC: We use income earning auto affiliate links. More.


Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author