Google researchers have discovered “multiple security flaws” in Apple’s Safari browser, a new report from the Financial TImes says. The flaws were found in Safari’s Intelligent Tracking Prevention feature, which is designed to protect users from cross-site tracking and other online privacy concerns, and have since been fixed.
The report from the Financial Times cites a soon-to-be-released paper in which researchers from Google’s cloud team explain the vulnerabilities. According to the report, Google researchers have identified five different attacks that could result from the security flaws in Safari.
The Intelligent Tracking Prevention left personal data exposed because of how it “implicitly stores information about the websites visited by the users,” Google researchers say. Ironically, Google researchers also say that a security flaw that allowed hackers to “create a persistent fingerprint that will follow the user around the web.” Other flaws “were able to reveal what individual users were searching for on search engine pages.”
In essence, security flaws in Apple’s Intelligent Tracking Prevention platform made users vulnerable to tracking similar to what the feature is designed to prevent.
Google made Apple aware of these vulnerabilities in August of last year, and the Financial Times says Apple rolled out a fix to Safari’s Intelligent Tracking Prevention feature in December. Apple referenced the fixes in a blog post in December, thanking Google for the help.
With that being said, Google Chrome Engineering Director Justin Schuh said on Twitter this morning that the actual vulnerabilities have not been fixed, despite Apple’s claim. The full paper is now available to read here.
It has not. I explained elsewhere that Apple’s blog post was confusing to the team that provided the report. The post was made during a disclosure extension Apple had requested, but didn’t disclose the vulnerabilities, and the changes mentioned didn’t fix the reported issues.
— Justin Schuh 🤬 (@justinschuh) January 22, 2020
