Google researchers have exposed details of multiple security flaws in its rival Apple’s Safari web browser that allowed users’ browsing behaviour to be tracked, despite the fact that the affected tool was specifically designed to protect their privacy.
The flaws, which were ironically found in an anti-tracking feature known as Intelligent Tracking Prevention, were first disclosed by Google to Apple in August last year.
In a soon-to-be published paper seen by the Financial Times, researchers in Google’s cloud team have since identified five different types of potential attack that could have resulted from the vulnerabilities, allowing third parties to obtain “sensitive private information about the user’s browsing habits”.
“You would not expect privacy-enhancing technologies to introduce privacy risks,” said Lukasz Olejnik, an independent security researcher who has seen the paper. “If exploited or used, [these vulnerabilities] would allow unsanctioned and uncontrollable user tracking.
“While today such privacy vulnerabilities are very rare, issues in mechanisms designed to improve privacy are unexpected and highly counter-intuitive.”
Apple rolled out Intelligent Tracking Prevention in 2017, with the specific aim of protecting Safari browser users from being tracked around the web by advertisers’ and other third-parties’ cookies.
The tool is seen by privacy advocates as a pioneering privacy-enhancing technology for web browsers, and has forced competitors including Google’s Chrome browser to augment their own tracking controls.
“Unlike other approaches . . . ITP runs its algorithms on-device, which makes it able to detect [user] behaviour and ‘learn’ about them automatically,” said Mr Olejnik. “But this user-specific aspect is also partly why the risk of information leaks was possible.”
According to the Google researchers, the vulnerabilities left personal data exposed “because the ITP list implicitly stores information about the websites visited by the user”.
The researchers also identified a flaw that allowed hackers to “create a persistent fingerprint that will follow the user around the web”, while others were able to reveal what individual users were searching for on search engine pages.
Apple addressed the security flaws, without revealing any details, in December, when privacy engineer John Wilander published a blog post about security updates to its browser software. In it, he thanked Google’s researchers “for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection”.
“Their responsible disclosure practice allowed us to design and test the changes detailed above,” he added.
Apple confirmed it patched the issues reported by Google last year.
This is the second time in the past year Google researchers have revealed security flaws in Apple software. In August, the search company also named a series of websites that were delivering targeted attacks to iPhones owned by the Uighur minority in China. Google confirmed it had authored the paper and said Apple has acknowledged its help in identifying these issues last year.
In a statement, Google said: “We’ve long worked with companies across the industry to exchange information about potential vulnerabilities and protect our respective users.
“Our core security research team has worked closely and collaboratively with Apple on this issue. The technical paper simply explains what our researchers discovered, so others can benefit from their findings.”
Additional reporting by Richard Waters in San Francisco
Copyright The Financial Times Limited . All rights reserved. Please don't copy articles from FT.com and redistribute by email or post to the web.