Google Finds Intelligent Tracking Prevention Flaws in Safari

Safari app icon

Google found multiple Intelligent Tracking Prevention flaws in Safari that let users be tracked anyway (via Financial Times—paywall).

Correction: This article was updated to reflect it wasn’t Project Zero that discovered this. The flaws were found by Google’s Security Enhancements for the Web team.

ITP Flaws

Google’s security team Project Zero found the security issues back in August and released details [PDF]. For now, we know that these bugs let Safari users have their web browsing tracked, despite Apple creating Intelligent Tracking Prevention to stop that sort of tracking.

PDF screenshot of Intelligent Tracking Prevention flaws

Because the list that ITP uses stores information about the websites visited by the users, an attacker could create a “persistent fingerprint” that would enable them to follow a user around the web or see their search terms.

Since Google’s disclosure these security flaws have been patched in Safari 13.0.4 and iOS 13.3. Project Zero is just following its new 90-day disclosure policy to give companies time to patch the security flaws it finds.

Further Reading

[Safari Users are Less Valuable to Advertisers]

[Intelligent Tracking Prevention 2.2 Changes Cookie Storage Duration]

3 thoughts on “Google Finds Intelligent Tracking Prevention Flaws in Safari

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.