Skip to main content

Apple Safari flaw left users’ browsing activity open to being tracked

In a seemingly rare case of huge tech firms looking out for one another, Google has revealed that it recently informed Apple of a serious security flaw that it discovered with its Safari browser. The vulnerability could have given hackers access to a user’s online behavior, with persistent tracking of a user’s web searches also possible, Google said.

In a technical paper posted online this week, Google researchers described how they found five different kinds of potential attacks linked to the vulnerability that would have enabled third parties to gather “sensitive private information about the user’s browsing habits.”

The issue concerned Apple’s Intelligent Tracking Prevention (ITP) technology, a privacy mechanism incorporated into the Safari browser in October 2017. ITP is designed to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data, but, ironically, the ITP vulnerability had the potential to expose browser-linked data.

Google said that the uncovered flaw put users’ data at risk as it offered access to an on-device list created by the ITP technology that “implicitly stores information about the websites visited by the user.” Lukasz Olejnik, an independent security researcher, told the Financial Times (FT) that if the weakness had been exploited or used, it would’ve paved the way for “unsanctioned and uncontrollable user tracking.”

According to the FT, Google informed Apple about the vulnerability in August 2019, prompting the company to fix it. At the end of last year, Apple engineer John Wilander acknowledged Google’s assistance in a blog post, though at the time he declined to offer any specific information about the issue.

“We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection,” Wilander wrote in the post. “Their responsible disclosure practice allowed us to design and test the changes detailed above.”

In a separate statement released this week, Google said it has always been keen to work with companies in the tech industry “to exchange information about potential vulnerabilities and protect our respective users,” explaining that Google’s core security research team had worked “closely and collaboratively with Apple on this issue.” It added,”The technical paper simply explains what our researchers discovered so others can benefit from their findings.”

We’ve reached out to Apple for more information about the security issue with its web browser and will update this article if we hear back.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Your digital fingerprint is tracked everywhere online. Brave wants to change that
6 important tech tasks you should get over with while social distancing chores computer privacy getty

We have more tools to secure our identity online than ever before. You can ban cookies -- the little pieces of information websites deposit in our browsers to identify us -- block invasive trackers from tailing our machines, switch to incognito mode, opt out of cross-app tracking with Apple’s latest iOS update, or even go as far as to surf the web only through highly encrypted virtual private networks.

But there’s a tracking method that can still slip past these defenses and it’s growing in popularity: Fingerprinting.
The anatomy of a fingerprint
What makes fingerprinting so elusive and difficult to defend against is the fact that the data it exploits is essential to the web’s foundational functions.

Read more
Safari’s new update can tell which websites have tracked you in the past
Apple MacOS Big Sur Safari

Apple didn’t publicly release MacOS’s next big update alongside the launch of iOS 14 and iPadOS 14. But you won’t have to wait for that to experience one of the MacOS Big Sur’s best features: Safari 14. Apple is now rolling out Safari 14 as a standalone update for existing MacOS Catalina and Mojave users.

Unlike other app updates, you can’t download Safari 14 from the App Store on your Mac. Instead, the update will be available under System Preferences > Software Update.

Read more
Google lead says he’s ‘disappointed’ with Apple’s new iPhone security program
iPhone 11 Pro feature image

Apple’s new hacker-friendly iPhones offer security researchers unrestricted access to devices so that they can easily hunt down vulnerabilities and bugs. But Ben Hawkes, technical lead at Project Zero, a team at Google tasked with discovering security flaws, says he’s “pretty disappointed” with Apple’s latest security program.

Hawkes, in a Twitter thread, said that its team won’t be able to take advantage of Apple’s “Security Research Device” (SRD) iPhones since it appears to exclude security groups that have a policy to publish their findings in three months.

Read more