Skip to main content

Apple Safari flaw left users’ browsing activity open to being tracked

In a seemingly rare case of huge tech firms looking out for one another, Google has revealed that it recently informed Apple of a serious security flaw that it discovered with its Safari browser. The vulnerability could have given hackers access to a user’s online behavior, with persistent tracking of a user’s web searches also possible, Google said.

In a technical paper posted online this week, Google researchers described how they found five different kinds of potential attacks linked to the vulnerability that would have enabled third parties to gather “sensitive private information about the user’s browsing habits.”

The issue concerned Apple’s Intelligent Tracking Prevention (ITP) technology, a privacy mechanism incorporated into the Safari browser in October 2017. ITP is designed to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data, but, ironically, the ITP vulnerability had the potential to expose browser-linked data.

Google said that the uncovered flaw put users’ data at risk as it offered access to an on-device list created by the ITP technology that “implicitly stores information about the websites visited by the user.” Lukasz Olejnik, an independent security researcher, told the Financial Times (FT) that if the weakness had been exploited or used, it would’ve paved the way for “unsanctioned and uncontrollable user tracking.”

According to the FT, Google informed Apple about the vulnerability in August 2019, prompting the company to fix it. At the end of last year, Apple engineer John Wilander acknowledged Google’s assistance in a blog post, though at the time he declined to offer any specific information about the issue.

“We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection,” Wilander wrote in the post. “Their responsible disclosure practice allowed us to design and test the changes detailed above.”

In a separate statement released this week, Google said it has always been keen to work with companies in the tech industry “to exchange information about potential vulnerabilities and protect our respective users,” explaining that Google’s core security research team had worked “closely and collaboratively with Apple on this issue.” It added,”The technical paper simply explains what our researchers discovered so others can benefit from their findings.”

We’ve reached out to Apple for more information about the security issue with its web browser and will update this article if we hear back.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Apple’s iOS 15.3 update fixes critical Safari security bug
iPhone showing Home Screen with widgets resting on soft white cloth background.

Apple has just released iOS 15.3, and while this latest update doesn’t add any significant new features, it addresses at least one critical security flaw. Earlier this month, software engineer Martin Bajanik of FingerprintJS found a serious vulnerability in Safari 15, the browser included in iOS 15 and iPadOS 15, that could leak browsing history information and even credentials from online services that a person is using, such as Google, YouTube, Amazon, and sites using WordPress.

As Bajanik explains, many websites use an API called IndexedDB to request that browsers like Safari and Chrome store information in a local database on a person’s device. Under normal circumstances, a given website should only be able to request information about the databases that it created — any others should be invisible to it.

Read more
Critical Mac update fixes Safari bug that leaks user data
The new MacBook Pro seen from the side.

A nasty bug in Safari has been discovered, and Apple has made available an update to MacOS Monterey and iOS that should solve the critical flaw.

The releases are MacOS Monterey 12.2 and iOS 15.3, both of which patch the vulnerability, which may have been exposing your browsing data. The release candidates are both currently available through GitHub, with official releases expected next week.

Read more
Apple and Google are going to need to open up their app stores in South Korea
The Apple logo is displayed at the Apple Store June 17, 2015 on Fifth Avenue in New York City

Apple and Google will now be mandated to allow for alternate payment systems for apps in the App Store and Play Store, respectively, at least in South Korea. The move comes as part of an amendment to the Telecommunications Business Act that bars companies from forcing third-party developers to use their in-app payment systems for in-app purchases. It will also require app store operators to speedily approve apps and prevent them from deleting apps from the stores without a reasonable explanation, the Wall Street Journal reports.

Apple and Google's app store practices have come under scrutiny over the past few years. In addition to rules around what content may or may not be admitted, developers have increasingly expressed ire about the standardized 30% commission required for each in-app transaction. This comes as a result of both companies mandating the use of their respective billing systems, with exceptions being made to select types of apps (food delivery services, for example.)

Read more