Flaws in Apple's Intelligent Tracking Prevention Safari Feature Let People Be Tracked

Google researchers discovered multiple security flaws in Apple's Safari web browser that let users' browsing habits be tracked despite Apple's Intelligent Tracking Prevention feature.

Google plans to publish details on the security flaws in the near future, and a preview of Google's discovery was seen by Financial Times, with the publication sharing information on the vulnerabilities this morning.

The security flaws were first found by Google in the summer of 2019, and were disclosed to Apple in August. There were five types of potential attacks that could allow third parties to learn "sensitive private information about the user's browsing habits."

Google researchers say that Safari left personal data exposed because the Intelligent Tracking Prevention List "implicitly stores information about the websites visited by the user." Malicious entities could use these flaws to create a "persistent fingerprint" that would follow a user around the web or see what individual users were searching for on search engine pages.

Intelligent Tracking Prevention, which Apple began implementing in 2017, is a privacy-focused feature meant to make it harder for sites to track users across the web, preventing browsing profiles and histories from being created.

Lukasz Olejnik, a security researcher who saw Google's paper, said that if exploited, the vulnerabilities "would allow unsanctioned and uncontrollable user tracking." Olejnik said that such privacy vulnerabilities are rare, and "issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive."

Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its "responsible disclosure practice," though full security credit has not yet been provided by Apple so there's a chance that there's still some behind-the-scenes fixing to be done.

Tags: Google, Safari

Top Rated Comments

(View all)

5 weeks ago
Oooooooooh the irony.
Rating: 37 Votes
5 weeks ago
Apple is doing a good job with privacy and it is good Google is disclosing problems. What this shows though is that no matter how good one thinks that a particular company (any) is, things can slip through the cracks.

For example, someone might think there is no way Apple could have an issue with their iCloud encryption or with the servers housing the Apple private key encrypted iCloud data and in all likelihood they'll be wrong. Trusting any centralized source like this will be a problem at some point.
Rating: 19 Votes
5 weeks ago
“There were five types of potential attacks that could allow third parties to learn ‘sensitive private information about the user's browsing habits.’” said Google, everyone’s favorite data-collecting tech giant.
Rating: 17 Votes
5 weeks ago


Rough week for Apple---


Ah, the good'ol Safari, one of Apple's biggest software troll since Cook.


Seems like Apple has these rough weeks quite often these days. Reality is a bitch when all you've got is marketing.


....about a company who’s entire business spin is about privacy and security


What but i thought..........................


Well it was a pretty long article I guess. For those who didn’t bother reading to the end:

“Apple appears to have addressed these Safari security flaws in a December update, based on a release update ('https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/') that thanked Google for its ‘responsible disclosure practice....’ ”

?
Rating: 16 Votes
5 weeks ago


Reality is a bitch when all you've got is marketing.


So true. I used to love Apple, but since around 2015 I've had nothing but problems with their hardware and software. Their software is so buggy; I remember when things just worked and now odd glitches are a daily occurrence.

Personally I hate this Safari feature. I much rather have full control over what sites store/don't store. On my laptop and desktop I have Firefox reject all third-party cookies (there's virtually no legitimate reason to have them anyway), in addition to usual extensions to block trackers, etc. Safari is only used on my phone and this "feature" of Apple's causes problems because it's not learning the sites I visit and keeps deleting legitimate cookies for those sites so I have to login/change settings when I visit. There really should be more control for the end user but that's not the Apple way.
Rating: 12 Votes
5 weeks ago
Meanwhile, Google can't build a browser like Safari because they make more money on ads if they let people track you by default. Google Ads needs it.
Rating: 9 Votes
5 weeks ago
The irony is thick, given this is coming from a company whose entire business model centers around tracking users.
Rating: 9 Votes
5 weeks ago


“There were five types of potential attacks that could allow third parties to learn ‘sensitive private information about the user's browsing habits.’” said Google, everyone’s favorite data-collecting tech giant.

Frankly, if we can get Google and Apple into a massive public spat on privacy we’d all stand to benefit. Having those two companies holding each other’s feet to the fire, trying to make the other look bad by exposing flaws and hypocrisies, would not only be endlessly entertaining but would lead to great public good.
Rating: 8 Votes
5 weeks ago
I mean Google would know since tracking people is their business model.
Rating: 8 Votes
5 weeks ago


Seems like Apple has these rough weeks quite often these days. Reality is a bitch when all you've got is marketing.


And a stock price gone from 153 to 317 in a year due to some of the best products in the world. Most people would kill to have such "rough weeks". but yea "all they have is marketing". nonsense.
Rating: 8 Votes

[ Read All Comments ]