In a seemingly rare case of huge tech firms looking out for one another, Google has revealed that it recently informed Apple of a serious security flaw that it discovered with its Safari browser. The vulnerability could’ve given hackers access to a user’s online behavior, with persistent tracking of a user’s web searches also possible, Google said.
In a technical paper posted online this week, Google researchers described how they found five different kinds of potential attack linked to the vulnerability that would’ve enabled third parties to gather “sensitive private information about the user’s browsing habits”.
The issue concerned Apple’s Intelligent Tracking Prevention (ITP) technology, a privacy mechanism incorporated into the Safari browser in October 2017. ITP is designed to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data, but, ironically, the ITP vulnerability had the potential to expose browser-linked data.
Google said that the uncovered flaw put users’ data at risk as they offered access to an on-device list created by the ITP technology that “implicitly stores information about the websites visited by the user.” Lukasz Olejnik, an independent security researcher, told the Financial Times (FT) that if the weakness had been exploited or used, it would’ve paved the way for “unsanctioned and uncontrollable user tracking.”
According to the FT, Google informed Apple about the vulnerability in August 2019, prompting the company to fix it. At the end of last year, Apple engineer John Wilander acknowledged Google’s assistance in a blog post, though at the time he declined to offer any specific information about the issue.
“We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection,” Wilander wrote in the post. “Their responsible disclosure practice allowed us to design and test the changes detailed above.”
In a separate statement released this week, Google said it has always been keen to work with companies in the tech industry “to exchange information about potential vulnerabilities and protect our respective users,” explaining that Google’s core security research team had worked “closely and collaboratively with Apple on this issue.” It added,”The technical paper simply explains what our researchers discovered so others can benefit from their findings.”
We’ve reached out to Apple for more information about the security issue with its web browser and will update this article if we hear back.