Apple's Intelligent Tracking Prevention technology posed risks to privacy and security, a research paper concluded.
Also Read :- Galaxy Note 10 Lite at Rs 38,999 sounds good but it’s no better than the segment-leading OnePlus 7T
Apple focuses on privacy protections as a major selling point for its products, but a feature designed to protect your privacy when using its Safari browser also created vulnerabilities that put your data and privacy at risk, Google researchers have found.
In a paper published Wednesday, a group of Google security engineers disclosed a set of flaws in Safari that would've allowed potential hackers to view people's browsing and search history. The flaws also could've let websites track your behavior on the internet, the paper said.
Apple declined to comment but said it fixed the flaws disclosed by Google, in December.
"We've long worked with companies across the industry to exchange information about potential vulnerabilities and protect our respective users," Google said in a statement. "Our core security research team has worked closely and collaboratively with Apple on this issue. The technical paper simply explains what our researchers discovered so others can benefit from their findings."
The vulnerabilities stemmed from Safari's Intelligent Tracking Prevention (ITP) feature, which Apple first unveiled in 2017. The tool was designed to protect Safari users from third-party tracking cookies by logging their use and then blocking websites from utilizing them.
ITP would log these websites as "prevalent domains" when it noticed them sending data that would allow advertisers to identify the user. These logs were added to an "ITP list," according to the researchers.
Also Read :- Apple abandoned full iCloud encryption after FBI complaint
Logging this essentially created a way for potential attackers to get a detailed view of a person's web history, according to Google's paper.
A website could've checked to see if particular domain names were on the ITP list, which is useful for tracking people, and could've manipulated the list, which raised security concerns. The flaws could've led to information leaks and let attackers block access to some websites, the Google researchers said.
Also Read :- Man Casually Plugs His PS 4 into Airport Monitor and Plays Apex Legends
It's not the first time an attempt to protect privacy has backfired. In 2019, Safari removed a feature called Do Not Track because, ironically, its presence allowed websites to better track people by creating a "fingerprint" or their browser settings. Do Not Track was an attempt by browser makers, privacy advocates and others to offer people a way to tell websites not to track them, but the effort failed.
The team behind WebKit, the Apple browser engine project that powers Safari, credited Google in a December blog post for finding the vulnerabilities.
Also Read :- Internet Explorer has a major security flaw, but Microsoft can't patch it yet
"We'd like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection," John Wilander, Apple's WebKit engineer behind ITP, wrote in the post.
In the past Google has disclosed serious security vulnerabilities involving Apple, including a set of security flaws in iOS devices that were used to target Uighur Muslims in China.
Also Read :- OnePlus 8 Pro With 120Hz Refresh Rate Display Spotted in Leaked Photo
Though Apple said it addressed the ITP flaws, the research paper said the fixes have limits.
And Google Chrome engineering director Justin Schuh tweeted Wednesday that Apple hasn't fixed the problems.
Also Read :- Meet the cheapest PC in the world: Android goodness for less than $15
Also Read :- Galaxy Note 10 Lite at Rs 38,999 sounds good but it’s no better than the segment-leading OnePlus 7T
Apple focuses on privacy protections as a major selling point for its products, but a feature designed to protect your privacy when using its Safari browser also created vulnerabilities that put your data and privacy at risk, Google researchers have found.
In a paper published Wednesday, a group of Google security engineers disclosed a set of flaws in Safari that would've allowed potential hackers to view people's browsing and search history. The flaws also could've let websites track your behavior on the internet, the paper said.
Apple declined to comment but said it fixed the flaws disclosed by Google, in December.
"We've long worked with companies across the industry to exchange information about potential vulnerabilities and protect our respective users," Google said in a statement. "Our core security research team has worked closely and collaboratively with Apple on this issue. The technical paper simply explains what our researchers discovered so others can benefit from their findings."
The vulnerabilities stemmed from Safari's Intelligent Tracking Prevention (ITP) feature, which Apple first unveiled in 2017. The tool was designed to protect Safari users from third-party tracking cookies by logging their use and then blocking websites from utilizing them.
ITP would log these websites as "prevalent domains" when it noticed them sending data that would allow advertisers to identify the user. These logs were added to an "ITP list," according to the researchers.
Also Read :- Apple abandoned full iCloud encryption after FBI complaint
Logging this essentially created a way for potential attackers to get a detailed view of a person's web history, according to Google's paper.
A website could've checked to see if particular domain names were on the ITP list, which is useful for tracking people, and could've manipulated the list, which raised security concerns. The flaws could've led to information leaks and let attackers block access to some websites, the Google researchers said.
Also Read :- Man Casually Plugs His PS 4 into Airport Monitor and Plays Apex Legends
It's not the first time an attempt to protect privacy has backfired. In 2019, Safari removed a feature called Do Not Track because, ironically, its presence allowed websites to better track people by creating a "fingerprint" or their browser settings. Do Not Track was an attempt by browser makers, privacy advocates and others to offer people a way to tell websites not to track them, but the effort failed.
The team behind WebKit, the Apple browser engine project that powers Safari, credited Google in a December blog post for finding the vulnerabilities.
Also Read :- Internet Explorer has a major security flaw, but Microsoft can't patch it yet
"We'd like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection," John Wilander, Apple's WebKit engineer behind ITP, wrote in the post.
In the past Google has disclosed serious security vulnerabilities involving Apple, including a set of security flaws in iOS devices that were used to target Uighur Muslims in China.
Also Read :- OnePlus 8 Pro With 120Hz Refresh Rate Display Spotted in Leaked Photo
Though Apple said it addressed the ITP flaws, the research paper said the fixes have limits.
And Google Chrome engineering director Justin Schuh tweeted Wednesday that Apple hasn't fixed the problems.
Also Read :- Meet the cheapest PC in the world: Android goodness for less than $15
Comments
Post a Comment