Flaws in Apple's Intelligent Tracking Prevention Safari Feature Let People Be Tracked

safari iconGoogle researchers discovered multiple security flaws in Apple's Safari web browser that let users' browsing habits be tracked despite Apple's Intelligent Tracking Prevention feature.

Google plans to publish details on the security flaws in the near future, and a preview of Google's discovery was seen by Financial Times, with the publication sharing information on the vulnerabilities this morning.

The security flaws were first found by Google in the summer of 2019, and were disclosed to Apple in August. There were five types of potential attacks that could allow third parties to learn "sensitive private information about the user's browsing habits."

Google researchers say that Safari left personal data exposed because the Intelligent Tracking Prevention List "implicitly stores information about the websites visited by the user." Malicious entities could use these flaws to create a "persistent fingerprint" that would follow a user around the web or see what individual users were searching for on search engine pages.

Intelligent Tracking Prevention, which Apple began implementing in 2017, is a privacy-focused feature meant to make it harder for sites to track users across the web, preventing browsing profiles and histories from being created.

Lukasz Olejnik, a security researcher who saw Google's paper, said that if exploited, the vulnerabilities "would allow unsanctioned and uncontrollable user tracking." Olejnik said that such privacy vulnerabilities are rare, and "issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive."

Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its "responsible disclosure practice," though full security credit has not yet been provided by Apple so there's a chance that there's still some behind-the-scenes fixing to be done.

Tags: Google, Safari

Top Rated Comments

SDJim Avatar
30 months ago
Oooooooooh the irony.
Score: 37 Votes (Like | Disagree)
centauratlas Avatar
30 months ago
Apple is doing a good job with privacy and it is good Google is disclosing problems. What this shows though is that no matter how good one thinks that a particular company (any) is, things can slip through the cracks.

For example, someone might think there is no way Apple could have an issue with their iCloud encryption or with the servers housing the Apple private key encrypted iCloud data and in all likelihood they'll be wrong. Trusting any centralized source like this will be a problem at some point.
Score: 19 Votes (Like | Disagree)
Mr. Awesome Avatar
30 months ago
“There were five types of potential attacks that could allow third parties to learn ‘sensitive private information about the user's browsing habits.’” said Google, everyone’s favorite data-collecting tech giant.
Score: 17 Votes (Like | Disagree)
PickUrPoison Avatar
30 months ago

Rough week for Apple---

Ah, the good'ol Safari, one of Apple's biggest software troll since Cook.

Seems like Apple has these rough weeks quite often these days. Reality is a bitch when all you've got is marketing.

....about a company who’s entire business spin is about privacy and security

What but i thought..........................


Well it was a pretty long article I guess. For those who didn’t bother reading to the end:

“Apple appears to have addressed these Safari security flaws in a December update, based on a release update ('https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/') that thanked Google for its ‘responsible disclosure practice....’ ”

?
Score: 16 Votes (Like | Disagree)
Dave-Z Avatar
30 months ago

Reality is a bitch when all you've got is marketing.
So true. I used to love Apple, but since around 2015 I've had nothing but problems with their hardware and software. Their software is so buggy; I remember when things just worked and now odd glitches are a daily occurrence.

Personally I hate this Safari feature. I much rather have full control over what sites store/don't store. On my laptop and desktop I have Firefox reject all third-party cookies (there's virtually no legitimate reason to have them anyway), in addition to usual extensions to block trackers, etc. Safari is only used on my phone and this "feature" of Apple's causes problems because it's not learning the sites I visit and keeps deleting legitimate cookies for those sites so I have to login/change settings when I visit. There really should be more control for the end user but that's not the Apple way.
Score: 12 Votes (Like | Disagree)
Swift Avatar
30 months ago
Meanwhile, Google can't build a browser like Safari because they make more money on ads if they let people track you by default. Google Ads needs it.
Score: 9 Votes (Like | Disagree)

Popular Stories

Prosser Series 8 3

Apple Watch Series 8 Rumored to Feature New Design With Flat Display

Wednesday May 18, 2022 6:21 am PDT by
The Apple Watch Series 8 could feature an all-new design with a flat display, according to the leaker known as "ShrimpApplePro." In his latest video on the YouTube channel Front Page Tech, Jon Prosser highlighted information from ShrimpApplePro that suggests the Apple Watch Series 8 could feature a flat display in what seems to be a design originally rumored for the Apple Watch Series 7. ...
anker 563 dock ports

Anker's Latest USB-C Docking Station Brings Triple-Display Support to M1 Macs

Wednesday May 18, 2022 7:06 am PDT by
While Apple's early M1-based Macs can only officially support a single external display, there are ways around the limitation. Anker is launching a new 10-in-1 USB-C docking station today which delivers just that. The Anker 563 USB-C dock includes two HDMI ports and a DisplayPort port, and it leverages DisplayLink to carry multiple video signals over a single connection. Given that this hub...
macOS Monterey 2

Apple Releases macOS Monterey 12.4 With Support for Studio Display Webcam Update

Monday May 16, 2022 10:10 am PDT by
Apple today released macOS Monterey 12.4, the fourth major update to the macOS Monterey operating system that launched in October 2021. macOS Monterey 12.4 comes over two months after the launch of macOS Monterey 12.3, an update that added Universal Control. The ‌‌‌‌‌macOS Monterey‌‌ 12.4 update can be downloaded on all eligible Macs using the Software Update section of System...
Whatsapp Feature

WhatsApp to Let Users Leave Group Chats 'Silently' and View Rich Link Previews in Status Updates

Tuesday May 17, 2022 3:07 am PDT by
WhatsApp is working on a new feature that will allow users to "silently" leave group chats hosted by the messaging platform instead of all members of the group being notified when they do. As it stands, when someone leaves a group chat, WhatsApp announces their exit to the entire group, making the act of leaving very public. It's not possible right now to leave a group quietly, but WhatsApp...
apple data auction iphone privacy ad

Apple Highlights iPhone's Latest Privacy Features in New 'Data Auction' Ad

Wednesday May 18, 2022 9:00 am PDT by
Apple today shared a new ad highlighting iPhone privacy features like App Tracking Transparency and Mail Privacy Protection that are designed to give users more transparency and control when it comes to their personal data being collected. The ad revolves around a young woman named Ellie who discovers that her personal data is being sold at an auction house, with bids being placed on her...
airpodsproinear

Apple Facing Lawsuit After AirPods Allegedly Ruptured Child's Eardrums With Amber Alert

Tuesday May 17, 2022 11:40 am PDT by
Apple's AirPods ruptured the eardrums of a 12-year-old boy in 2020 when a loud Amber Alert was issued, according to a lawsuit filed against Apple in California (via Law360). The child, identified as B.G. in the filing, was watching a movie on Netflix on his iPhone in 2020 while wearing AirPods Pro. The AirPods Pro were allegedly set at a low volume, but an Amber Alert sounded without warning ...
apple store palo alto

Apple Reinstating Employee Mask Mandate at Approximately 100 U.S. Retail Stores

Tuesday May 17, 2022 11:11 am PDT by
Apple retail employees at around 100 stores will need to go back to wearing a mask while working, according to Bloomberg's Mark Gurman. Apple is mandating masks for employees again due to a rising number of COVID cases across the United States. Customers who visit an Apple Store are not required to wear a mask at this time, but Apple is continuing to recommend masks for all Apple Store...