Google found multiple Intelligent Tracking Prevention flaws in Safari that let users be tracked anyway (via Financial Times—paywall).
Correction: This article was updated to reflect it wasn’t Project Zero that discovered this. The flaws were found by Google’s Security Enhancements for the Web team.
Google’s security team Project Zero found the security issues back in August and released details [PDF]. For now, we know that these bugs let Safari users have their web browsing tracked, despite Apple creating Intelligent Tracking Prevention to stop that sort of tracking.
Because the list that ITP uses stores information about the websites visited by the users, an attacker could create a “persistent fingerprint” that would enable them to follow a user around the web or see their search terms.
Since Google’s disclosure these security flaws have been patched in Safari 13.0.4 and iOS 13.3. Project Zero is just following its new 90-day disclosure policy to give companies time to patch the security flaws it finds.