Google: Flaws in Apple’s Private-Browsing Technology Allow for Third-Party Tracking

New research outlines vulnerabilities in Safari’s Intelligent Tracking Protection that can reveal user browsing behavior to third parties.

Technology Apple designed for its Safari web browser to protect users from being tracked when they surf the web may actually do just the opposite, according to new research from Google.

Google researchers have identified a number of security flaws in Safari’s Intelligent Tracking Protection that allow people’s browsing behavior to be tracked by third parties, according to a report published in the Financial Times (FT) Wednesday. The research will soon be disclosed publicly, the report said.

The research is a major blow to Apple’s commitment to user privacy, as the company long has claimed it is better than its rivals at protecting its customers’ data and web-browsing practices.

Google researchers discovered five different types of potential attack on the vulnerabilities they found in ITP that could allow for third parties like digital advertisers to obtain “sensitive private information about the user’s browsing habits,” according to the report.

Among those issues with ITP is a feature that stores information about websites visited by the user, Google researchers said. A flaw in the technology also could potentially allow hackers to “create a persistent fingerprint that will follow the user around the web,” according to the report.

Other vulnerabilities Google researchers discovered in ITP allowed third parties to observe what individual users were searching for on search engine pages, they said.

Apple added ITP to Safari in 2017 to protect user activity from being tracked by third parties. At the time the tool was seen as a boon for enhancing the privacy of users, and it inspired Google and other browser makers to make changes to their own products to limit third-party tracking.

Apple claims it already has addressed the flaws disclosed in the forthcoming Google research, according to the FT report. Indeed, Apple already was aware of issues in ITP and updated its WebKit browser engine in December with “enhancements” without disclosing any specific flaws.

That update was outlined in a blog post by Apple privacy engineer John Wilander, who thanked Google researchers “for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection,” he wrote.

“Their responsible disclosure practice allowed us to design and test the changes detailed above, Wilander said at the time.

The forthcoming Google research is certainly not the first time the tech giant has called out Apple for security flaws in the company’s software, as the rival companies long have sparred over which offers safer and more secure technology to consumers.

In August, Google’s Project Zero team disclosed a total of 14 iPhone vulnerabilities — including two that were zero-days when discovered — that were targeted by five exploit chains in a watering hole attack that has lasted years. The watering holes delivered a spyware implant that can steal private data like iMessages, photos and GPS location in real time, Google researcher Ian Beer said at the time.

Apple later accused Google of spreading misinformation and fear over the vulnerabilities and the risk involved, needlessly panicking iPhone customers over flaws Apple already had patched that also were limited in scope to less than a dozen websites focused on content related to the Uighur ethic minority community in northwestern China.

Suggested articles