Apple privacy tool exposed browsing data in Safari, say researchers

Apple’s anti web-tracking tool meant to bolster privacy actually exposed private browsing habits of Safari users, report says

  • Anti web-tracking measures designed for privacy contained several flaws
  • Google researchers say they exposed the private web data of Safari users
  • Search queries and websites a user visited were among the vulnerable data 
  • Google researchers say flaws may still be active

Apple’s anti web-tracking features meant to prevent sleuthy sites from monitoring users’ online activity came at the expense of their security says researchers.

According to a report from a team of researchers at Google that was first highlighted by the Financial Times, several flaws were found in a feature called Intelligent Tracking Prevention rolled out in 2017 which was meant to stop digital ad companies from hoovering people’s web data.

In all, five different vulnerabilities in the feature first discovered in August last year opened users up to attacks that expose ‘sensitive private information about the user’s browsing habits.’

Apple’s anti web tracking tool was actually exposing users to several attacks according to a report from several Google researchers

Flaws enable a hypothetical hacker to glean various bits of private data, including specific web searchers and which sites they actually visit. 

Though the feature was initially touted as a major improvement to user privacy, given its goal of protecting web activity for anyone using the Safari browser, its ingenuity also led some of its issues.

Because an algorithm powering the tool runs on-device, making it able to learn from user behavior and improve, it also stored user behavior inside phones, creating a vulnerable trove of web data.

While Apple says it has tested and verified Google’s findings, it has yet to confirm whether the flaws have been fully addressed and closed. 

Google researcher,  Justin Schuh said on Twitter that though Apple acknowledged the issues reported in the feature in a blog post, none of the changes made by the company actually addressed flaws.

‘… Apple’s blog post was confusing to the team that provided the report,’ tweeted Schuh.

‘The post was made during a disclosure extension Apple had requested, but didn’t disclose the vulnerabilities, and the changes mentioned didn’t fix the reported issues.’

While flaws arise in just about every browser at some point, Apple has long touted its commitment to a more secure experience compared to counterparts.

Added protections against third-party data tracking and tools that help users opt out of location services are among the initiatives that have forced competitors like Google Chrome to start offering their own protections.

Source: Read Full Article