Google found multiple Intelligent Tracking Prevention flaws in Safari that let users be tracked anyway (via Financial Times—paywall).
Correction: This article was updated to reflect it wasn’t Project Zero that discovered this. The flaws were found by Google’s Security Enhancements for the Web team.
ITP Flaws
Google’s security team Project Zero found the security issues back in August and released details [PDF]. For now, we know that these bugs let Safari users have their web browsing tracked, despite Apple creating Intelligent Tracking Prevention to stop that sort of tracking.
Because the list that ITP uses stores information about the websites visited by the users, an attacker could create a “persistent fingerprint” that would enable them to follow a user around the web or see their search terms.
Since Google’s disclosure these security flaws have been patched in Safari 13.0.4 and iOS 13.3. Project Zero is just following its new 90-day disclosure policy to give companies time to patch the security flaws it finds.
Further Reading
[Safari Users are Less Valuable to Advertisers]
[Intelligent Tracking Prevention 2.2 Changes Cookie Storage Duration]
This was setup in collaboration with FBI?
Nice that Google is working so hard to find flaws in Safari’s tracking protection, right? 😉
Yeah, that part isn’t surprising to me AT ALL. What IS surprising is that they went and told Apple about the flaws they found — I expected them to exploit the flaws for all they were worth! Of course, I suppose they could easily do both… 🙂