Google Finds Intelligent Tracking Prevention Flaws in Safari

1 minute read
| News

Google found multiple Intelligent Tracking Prevention flaws in Safari that let users be tracked anyway (via Financial Times—paywall).

Correction: This article was updated to reflect it wasn’t Project Zero that discovered this. The flaws were found by Google’s Security Enhancements for the Web team.

ITP Flaws

Google’s security team Project Zero found the security issues back in August and released details [PDF]. For now, we know that these bugs let Safari users have their web browsing tracked, despite Apple creating Intelligent Tracking Prevention to stop that sort of tracking.

PDF screenshot of Intelligent Tracking Prevention flaws

Because the list that ITP uses stores information about the websites visited by the users, an attacker could create a “persistent fingerprint” that would enable them to follow a user around the web or see their search terms.

Since Google’s disclosure these security flaws have been patched in Safari 13.0.4 and iOS 13.3. Project Zero is just following its new 90-day disclosure policy to give companies time to patch the security flaws it finds.

Further Reading

[Safari Users are Less Valuable to Advertisers]

[Intelligent Tracking Prevention 2.2 Changes Cookie Storage Duration]

3
Leave a Reply

Please Login to comment
2 Comment threads
1 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Sailor HG1252archimedes Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
1252
Member
1252

This was setup in collaboration with FBI?

archimedes
Member
archimedes

Nice that Google is working so hard to find flaws in Safari’s tracking protection, right? 😉

Sailor HG
Member
Sailor HG

Yeah, that part isn’t surprising to me AT ALL. What IS surprising is that they went and told Apple about the flaws they found — I expected them to exploit the flaws for all they were worth! Of course, I suppose they could easily do both… 🙂