Safari Internet browser on laptop showing the flawed tracking protection on Safari browser
Safari Uses Flawed Tracking Protections, Google Finds by Byron Muhlberg

Safari Uses Flawed Tracking Protections, Google Finds

Apple’s web browser, Safari, fails to provide users with the level of tracking protection it claims, a new study has found. According to researchers from Google’s security team, the Safari browser is vulnerable to a variety of flaws which leave it open to “information leaks” by hackers.

The new study, which was published on 22 January, takes these concerns a step further by suggesting that technical issues relating to Safari’s tracking protection system give rise to “a number of unexpected consequences.” These include “the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks.”

In essence, this means that hackers would be able to effectively exploit Safari software in order to track users as they navigate the Internet, as well as to gain access to their cross site browsing history.

Tracking protection technicalities

The newfound vulnerability in the Safari browser centers around one feature in particular: the Intelligent Tracking Prevention (ITP). This feature, which Apple released back in 2017, had been designed specifically with data protection in mind.

The ITP tool was seen by privacy advocates of the time as being a state of the art piece of technology for tracking protection on web browsers. Its release is speculated to have forced competitors such as Google Chrome to release their own tracking protection features in order to stay abreast of Apple’s privacy developments.

In order to go about strengthening user privacy, Safari’s ITP logs users onto its system before proceeding to block interested websites from accessing that information. This is done with the intention of shielding users from third-party tracking cookies. The Safari ITP then goes on to list these websites as “prevalent domains” as soon as they are detected as targeting the user for advertising. It is in this way that the researchers point out that an “ITP list” is formed by Safari — a list that is left vulnerable to hacking and to manipulation by third-parties.

In order to demonstrate their conclusions, Google researchers were also able to make use of one of the flaws to track the online browsing habits of users by creating a “persistent fingerprint”. Another flaw was used to be able to establish which queries users had been searching via search engines.

In essence, then, the Google study found that — by compiling an ITP list — Safari guaranteed that the information that was intended to be protected from hackers could be found in a single place. Consequently then, by developing and introducing new tracking protection technologies, Apple has inadvertently left its web browser open to the very forces it had tried to keep away.

Cooperation and competition for Apple and Google

This has not been the first occasion in which efforts aimed at improving privacy have proven out to not only be ineffective — but completely counterproductive. Last year, Apple got rid of an enhanced privacy tool for Safari users called ‘Do Not Track,’ stating that it wanted to “prevent potential use as a fingerprinting variable.” In other words, the tracking protection tool used by Safari, in the end, opened up an avenue by which privacy could be exploited.

This came mere months after Google made Apple aware of several other vulnerabilities it had detected in Safari’s tracking protection technology, back in August of last year. Apple went on to blame Google in response, pointing out their belief that the company was contributing to the rise of misinformation by causing iOS users needless unease.

This did not deter Google from digging further in their recent study, however. On the subject of the company’s involvement in identifying technical defaults in Apple products, Google explains in a separate statement that they have “long worked with companies across the industry to exchange information about potential vulnerabilities and protect our respective users.”

Google’s statement goes on to explain that the company’s core security research team has “worked closely and collaboratively with Apple on this issue,” and that the research paper “simply explains what our researchers discovered so others can benefit from their findings.”

Apple, for its part, seems to have shown some measure of gratitude to Google for having identified the recent security flaws in the Safari browser. “We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection,” chief ITP engineer Joh Wilanter wrote in a post.

Flaws in Safari browser allows tracking of users’ online browsing habits by creating a 'persistent fingerprint'. #respectdataClick to Tweet

As things stand, Safari’s new tracking protection flaws have not yet been addressed, although both parties have expressed a strong interest in rectifying issues such as this one when they arise. As Google’s security team concludes, “We look forward to collaborating with Apple on future security and privacy improvements to the web.”