To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Google warns Apple about flaw in the Safari browser that could have let hackers track you across the web

Google informed Apple about the flaw in August 2019 and the company fixed it as part of the recent iOS 13.3

A flaw in Apple’s Safari browser that could have allowed hackers to track your movements online has been fixed, thanks to help from rival firm Google. 

As described in a technical paper released this week, Google researchers explained: “As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design.

 “These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search).”

The ITP design mentioned in the paper stands for Intelligent Tracking Prevention and it’s a feature added to the Safari browser in 2017 to protect users from being tracked across the web by stopping websites from being able to use third-party context to identify who the user is. 

Ironically, the way this feature was built meant that it was relatively easy to bypass by exploiting how ITP categorised and assigned domains and URLs which meant the user’s data and movements across the web was at risk of being exposed, rather than protected.

Google informed Apple about the flaw in August 2019 and the company fixed it as part of iOS 13.3.

READ NEXT: Apple iOS 13 features

In a blog post detailing the fix, posted by Apple’s John Wilander, the tech giant says that it has made three enhancements to Safari to make it more secure. The most significant one (from a user’s viewpoint) is that ITP will now block all third-party requests from seeing a user’s cookies, regardless of the classification status of the domain, unless the original website has already received your permission/interaction.

The post also acknowledges Google support, saying: “We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection.

“Their responsible disclosure practice allowed us to design and test the changes detailed above.”

Read more