Google researchers reveal flaws in Safari that could be exploited to track users
Apple's Safari web browser was found to have multiple security flaws that allowed for user's online activity to be tracked, say Google researchers.
In a yet-to-be-published paper, the researchers reveal issues in a Safari feature which is actually supposed to increase user privacy. The Intelligent Tracking Prevention (ITP) feature found in the iOS, iPadOS and macOS version of the browser is meant to block tracking, but vulnerabilities mean that third parties could have accessed sensitive information about users' browsing habits.
- 0patch releases micropatch for Internet Explorer vulnerability -- including for Windows 7
- Microsoft exposed 250 million customer service and support records in massive privacy blunder
- Microsoft pledges to patch Internet Explorer bug that is being actively exploited
In the paper, seen by the Financial Times, researchers from Google's cloud team identified no fewer than five potential forms of attack that could exploit the vulnerabilities and gather "sensitive private information about the user's browsing habits".
Details of the security flaws were revealed to Apple in August last year, and the company quietly patched the vulnerabilities in December.
The Financial Times explains (pay-walled):
According to the Google researchers, the vulnerabilities left personal data exposed "because the ITP list implicitly stores information about the websites visited by the user".
The researchers also identified a flaw that allowed hackers to "create a persistent fingerprint that will follow the user around the web”, while others were able to reveal what individual users were searching for on search engine pages.
In a little-publicized blog post, Apple thanked Google for its help, saying: "We'd like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above. Full credit will be given in upcoming security release notes".
The irony of a privacy-protecting feature having such as vulnerability was noted by independent security research Lukasz Olejnik. He says:
You would not expect privacy-enhancing technologies to introduce privacy risks. If exploited or used, they would allow unsanctioned and uncontrollable user tracking. While today such privacy vulnerabilities are very rare, issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive.
Olejnik added that the way ITP stores data made it vulnerable: "ITP runs its algorithms on-device, which makes it able to detect behaviour and "learn" about them automatically. But this user-specific aspect is also partly why the risk of information leaks was possible".