X

Google finds Apple Safari anti-tracking feature actually enabled tracking

Apple's Intelligent Tracking Prevention technology posed risks to privacy and security, a research paper concluded.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Apple's Safari icon on an iPhone screen

Apple's Safari icon on an iPhone screen.

Stephen Shankland/CNET

Apple focuses on privacy protections as a major selling point for its products, but a feature designed to protect your privacy when using its Safari browser also created vulnerabilities that put your data and privacy at risk, Google researchers have found.

In a paper published Wednesday, a group of Google security engineers disclosed a set of flaws in Safari that would've allowed potential hackers to view people's browsing and search history. The flaws also could've let websites track your behavior on the internet, the paper said.

Apple declined to comment but said it fixed the flaws disclosed by Google, in December

"We've long worked with companies across the industry to exchange information about potential vulnerabilities and protect our respective users," Google said in a statement. "Our core security research team has worked closely and collaboratively with Apple on this issue. The technical paper simply explains what our researchers discovered so others can benefit from their findings."

The vulnerabilities stemmed from Safari's Intelligent Tracking Prevention (ITP) feature, which Apple first unveiled in 2017. The tool was designed to protect Safari users from third-party tracking cookies by logging their use and then blocking websites from utilizing them.

ITP would log these websites as "prevalent domains" when it noticed them sending data that would allow advertisers to identify the user. These logs were added to an "ITP list," according to the researchers.

Logging this essentially created a way for potential attackers to get a detailed view of a person's web history, according to Google's paper. 

A website could've checked to see if particular domain names were on the ITP list, which is useful for tracking people, and could've manipulated the list, which raised security concerns. The flaws could've led to information leaks and let attackers block access to some websites, the Google researchers said.

It's not the first time an attempt to protect privacy has backfired. In 2019, Safari removed a feature called Do Not Track because, ironically, its presence allowed websites to better track people by creating a "fingerprint" or their browser settings. Do Not Track was an attempt by browser makers, privacy advocates and others to offer people a way to tell websites not to track them, but the effort failed.

The team behind WebKit, the Apple browser engine project that powers Safari, credited Google in a December blog post for finding the vulnerabilities. 

"We'd like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection," John Wilander, Apple's WebKit engineer behind ITP, wrote in the post. 

In the past Google has disclosed serious security vulnerabilities involving Apple, including a set of security flaws in iOS devices that were used to target Uighur Muslims in China.

Though Apple said it addressed the ITP flaws, the research paper said the fixes have limits.

And Google Chrome engineering director Justin Schuh tweeted Wednesday that Apple hasn't fixed the problems.