Flaws in Apple's Intelligent Tracking Prevention Safari Feature Let People Be Tracked

safari iconGoogle researchers discovered multiple security flaws in Apple's Safari web browser that let users' browsing habits be tracked despite Apple's Intelligent Tracking Prevention feature.

Google plans to publish details on the security flaws in the near future, and a preview of Google's discovery was seen by Financial Times, with the publication sharing information on the vulnerabilities this morning.

The security flaws were first found by Google in the summer of 2019, and were disclosed to Apple in August. There were five types of potential attacks that could allow third parties to learn "sensitive private information about the user's browsing habits."

Google researchers say that Safari left personal data exposed because the Intelligent Tracking Prevention List "implicitly stores information about the websites visited by the user." Malicious entities could use these flaws to create a "persistent fingerprint" that would follow a user around the web or see what individual users were searching for on search engine pages.

Intelligent Tracking Prevention, which Apple began implementing in 2017, is a privacy-focused feature meant to make it harder for sites to track users across the web, preventing browsing profiles and histories from being created.

Lukasz Olejnik, a security researcher who saw Google's paper, said that if exploited, the vulnerabilities "would allow unsanctioned and uncontrollable user tracking." Olejnik said that such privacy vulnerabilities are rare, and "issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive."

Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its "responsible disclosure practice," though full security credit has not yet been provided by Apple so there's a chance that there's still some behind-the-scenes fixing to be done.

Tags: Google, Safari

Top Rated Comments

SDJim Avatar
55 months ago
Oooooooooh the irony.
Score: 37 Votes (Like | Disagree)
centauratlas Avatar
55 months ago
Apple is doing a good job with privacy and it is good Google is disclosing problems. What this shows though is that no matter how good one thinks that a particular company (any) is, things can slip through the cracks.

For example, someone might think there is no way Apple could have an issue with their iCloud encryption or with the servers housing the Apple private key encrypted iCloud data and in all likelihood they'll be wrong. Trusting any centralized source like this will be a problem at some point.
Score: 19 Votes (Like | Disagree)
Mr. Awesome Avatar
55 months ago
“There were five types of potential attacks that could allow third parties to learn ‘sensitive private information about the user's browsing habits.’” said Google, everyone’s favorite data-collecting tech giant.
Score: 17 Votes (Like | Disagree)
PickUrPoison Avatar
55 months ago

Rough week for Apple---

Ah, the good'ol Safari, one of Apple's biggest software troll since Cook.

Seems like Apple has these rough weeks quite often these days. Reality is a bitch when all you've got is marketing.

....about a company who’s entire business spin is about privacy and security

What but i thought..........................


Well it was a pretty long article I guess. For those who didn’t bother reading to the end:

“Apple appears to have addressed these Safari security flaws in a December update, based on a release update ('https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/') that thanked Google for its ‘responsible disclosure practice....’ ”

?
Score: 16 Votes (Like | Disagree)
Dave-Z Avatar
55 months ago

Reality is a bitch when all you've got is marketing.
So true. I used to love Apple, but since around 2015 I've had nothing but problems with their hardware and software. Their software is so buggy; I remember when things just worked and now odd glitches are a daily occurrence.

Personally I hate this Safari feature. I much rather have full control over what sites store/don't store. On my laptop and desktop I have Firefox reject all third-party cookies (there's virtually no legitimate reason to have them anyway), in addition to usual extensions to block trackers, etc. Safari is only used on my phone and this "feature" of Apple's causes problems because it's not learning the sites I visit and keeps deleting legitimate cookies for those sites so I have to login/change settings when I visit. There really should be more control for the end user but that's not the Apple way.
Score: 12 Votes (Like | Disagree)
Swift Avatar
55 months ago
Meanwhile, Google can't build a browser like Safari because they make more money on ads if they let people track you by default. Google Ads needs it.
Score: 9 Votes (Like | Disagree)

Popular Stories

apple tv 4k yellow bg feature

When to Expect a New Apple TV to Launch

Tuesday April 9, 2024 8:30 am PDT by
It has been nearly a year and a half since the current Apple TV was released, so the device is becoming due for a hardware upgrade. Below, we recap rumors about the next Apple TV, including potential features and launch timing. The current model is the third-generation Apple TV 4K, announced in October 2022. Key new features compared to the previous model from 2021 include a faster A15...
iPhone 16 Camera Lozenge 2 Colors

iPhone 16 Plus Rumored to Come in These 7 Colors

Wednesday April 10, 2024 3:52 am PDT by
Apple's iPhone 16 Plus may come in seven colors that either build upon the existing five colors in the standard iPhone 15 lineup or recast them in a new finish, based on a new rumor out of China. According to the Weibo-based leaker Fixed focus digital, Apple's upcoming larger 6.7-inch iPhone 16 Plus model will come in the following colors, compared to the colors currently available for the...
iPhone 16 Pro Sizes Feature

Alleged iPhone 16 Battery Details Show Smaller Capacity for One Model

Tuesday April 9, 2024 3:46 am PDT by
Apple's upcoming iPhone 16 lineup will feature bigger battery capacities compared to previous-generation models with the exception of the iPhone 16 Plus, which will have a smaller battery than its predecessor. That's according to the Chinese Weibo-based leaker OvO Baby Sauce OvO, a relatively new source of supply chain leaks with an as-yet unproven track record for accuracy. The iPhone 16 ...
apple silicon feature joeblue

Macs to Get AI-Focused M4 Chips Starting in Late 2024

Thursday April 11, 2024 10:10 am PDT by
Apple will begin updating its Mac lineup with M4 chips in late 2024, according to Bloomberg's Mark Gurman. The M4 chip will be focused on improving performance for artificial intelligence capabilities. Last year, Apple introduced the M3, M3 Pro, and M3 Max chips all at once in October, so it's possible we could see the M4 lineup come during the same time frame. Gurman says that the entire...
M3 iPad Feature 3

Apple Event for New iPads Still Considered 'Unlikely' Following Delays

Tuesday April 9, 2024 6:37 am PDT by
Apple is "unlikely" to hold an event to announce new iPad Pro and iPad Air models, according to sources cited by Taiwanese supply chain publication DigiTimes. Bloomberg's Mark Gurman already said Apple was not planning to hold an event for the new iPads, but he made this claim back in early March, before it was reported that the devices were postponed due to manufacturing delays. With the...
iOS 18 WWDC 24 Feature 2

iOS 18 May Feature All-New 'Safari Browsing Assistant'

Wednesday April 10, 2024 6:11 am PDT by
iOS 18 will apparently feature a new Safari browsing assistant, according to backend code on Apple's servers discovered by Nicolás Álvarez. MacRumors contributor Aaron Perris confirmed that the code exists, but not many details are known at this time. Álvarez said it seems like the browsing assistant will use iCloud Private Relay's infrastructure to send relevant data to Apple in a...