Flaws in Apple's Intelligent Tracking Prevention Safari Feature Let People Be Tracked

ani4ani

macrumors 65816
May 4, 2012
1,019
868
UK
Well it was a pretty long article I guess. For those who didn’t bother reading to the end:

“Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its ‘responsible disclosure practice....’ ”

🙄
...but never told anyone of the issue nevertheless
 

Glockworkorange

macrumors 68020
Feb 10, 2015
2,465
4,117
Chicago, Illinois
Well it was a pretty long article I guess. For those who didn’t bother reading to the end:

“Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its ‘responsible disclosure practice....’ ”

🙄
I read the article. It's fixed. Just quite a few Apple privacy stories this week; some fair, some not so fair, but all of them I think were trying to place Apple in a bad light.

Hence, not a great week.

I for one would really appreciate encrypted iCloud backups.

I encrypt local backups, so I've been able to address my security concerns, but over iCloud would be much easier.
- - Post merged: - -

This is old news.
That's true---but you will get more clicks if you bring it up again with a damning headline!
- - Post merged: - -

In what way?

$320/share.
It' a tough week for them as far as public perception of iPhone security.

It has zero to do with the stock price

You could have a great week at work and an awful week at home with your family; that would be a tough week irrespective of the good work week.

I bet you know that but wanted to appear witty.

You didn't.
 

mac_in_tosh

macrumors 6502
Nov 6, 2016
396
4,613
Earth
It should be quite obvious by now that any large piece of software is going to be full of bugs and have vulnerabilities. That the software keeps growing in size and getting gratuitous updates only adds to the probability of something bad happening.
 

dannys1

macrumors 68030
Sep 19, 2007
2,539
4,609
UK
So true. I used to love Apple, but since around 2015 I've had nothing but problems with their hardware and software. Their software is so buggy; I remember when things just worked and now odd glitches are a daily occurrence.

Personally I hate this Safari feature. I much rather have full control over what sites store/don't store. On my laptop and desktop I have Firefox reject all third-party cookies (there's virtually no legitimate reason to have them anyway), in addition to usual extensions to block trackers, etc. Safari is only used on my phone and this "feature" of Apple's causes problems because it's not learning the sites I visit and keeps deleting legitimate cookies for those sites so I have to login/change settings when I visit. There really should be more control for the end user but that's not the Apple way.
You can do the things you've just said and the last thing you said is utter nonsense and doesn't happen with Safari at all, you've got some other problem.
 

Dj64Mk7

macrumors 65816
Sep 15, 2013
1,171
332
Aren't the security researchers at Google completely separate from the engineers and product designers? Why are people taking shots likely designed for one specific part of a company and turning it into a statement against that company as a whole?
 

code-m

macrumors 68000
Apr 13, 2006
1,831
1,428
What but i thought..........................

"Technically" it's Safari.app that has this flaw (fixed in Dec 2019), not iPhone. You have the option to run other web browsers, granted Safari is the default. You do have a choice. There is also the issue that while using any internet services, information has to be exchanged in-order to access content. iPhone and iOS are still more secure and privacy inclined compared to the competition.

Not a supporter, just calling it as I see it. But meh whatever use what you want. /Peace.
 
  • Like
Reactions: BulkSlash

Dave-Z

macrumors 6502a
Jun 26, 2012
751
1,264
You can do the things you've just said
Nope. In Safari on iOS you have a couple of choices:

1. Prevent Cross-Site Tracking.
2. Block All Cookies.

You can block everything; this obviously wouldn't work well for most users. Or you can use Safari's "intelligent" cross-tracking prevention, which is the thing being mentioned in this MR article.

the last thing you said is utter nonsense and doesn't happen with Safari at all, you've got some other problem.
Nope. It's not. The "intelligent" tracking actually uses Apple's own proprietary system for deciding which sites are allowed to store cookies (first or third party) and uses its own heuristics for deleting cookies to prevent tracking. That's part of the whole reason this article exists, because Google found a flaw that allowed users to be tracked.

You can dig through these pages and their linked pages for more details:

https://webkit.org/blog/7675/intelligent-tracking-prevention/

https://webkit.org/blog/9521/intelligent-tracking-prevention-2-3/
 
  • Like
Reactions: heffsf

decisions

macrumors member
Sep 30, 2019
64
85
Well, I'm glad I deleted my iCloud backups at least. I think it's weird that those are on by default since the only way I found about them was through an e-mail telling me that they were taking up nearly all of my iCloud space.

Gonna continue using Safari/Firefox, since even though they have issues, they sell offer my better privacy than the competition while, in my opinion, simultaneously giving better usability as well.
 
  • Like
Reactions: BulkSlash

reflekshunmusic

macrumors newbie
Sep 13, 2016
13
4
The success of Google's business depends on breaching their user's privacy. It's a bit rich to stand on a righteous platform to expose Apple's privacy security flaws. Wouldn't it be better to work with them to improve privacy than to try and publicly shame them?

Looks more like dumb ass manipulation of information for Google to come out appearing as the hero and Apple as the Villain, rather than people trying to make the world a better place. IMO just grow up and grow out of the **** slinging already!
 
  • Like
Reactions: SeattleMoose

LV426

macrumors 6502a
Jan 22, 2013
902
378
Someone @ Apple should figure out how reddit always seems to know where I’ve been. i read reddit anonymously but its in-line ads always seem perilously close to what I’m interested in. Of course, I never click on any of them out of principle. But they seem to have a handle on me.
 

I7guy

macrumors Core
Nov 30, 2013
21,294
9,217
Gotta be in it to win it
I read the article. It's fixed. Just quite a few Apple privacy stories this week; some fair, some not so fair, but all of them I think were trying to place Apple in a bad light.

Hence, not a great week.

I for one would really appreciate encrypted iCloud backups.

I encrypt local backups, so I've been able to address my security concerns, but over iCloud would be much easier.
- - Post merged: - -


That's true---but you will get more clicks if you bring it up again with a damning headline!
- - Post merged: - -


It' a tough week for them as far as public perception of iPhone security.

It has zero to do with the stock price

You could have a great week at work and an awful week at home with your family; that would be a tough week irrespective of the good work week.

I bet you know that but wanted to appear witty.

You didn't.
In my own opinion, I don't know how many follow this stuff and then have an opinion of apple even if some of this is report in major outlets. (or pick your corporation that has a bad bug and then fixed it). I'd rather know the bug was fixed and hence good job Apple. (or pick your corporation)
 

ErikGrim

macrumors 601
Jun 20, 2003
4,388
2,964
Brisbane, Australia
I was under the impression that this feature was designed to minimise what’s already going on everywhere else? If this is a reasonable description of its intended purpose then it seems a bit disingenuous to paint any failures as security flaws. Certainly in the typical sense. Happy to be corrected.
Not at all. This is part and parcel of the wack-a-mole arms race between advertisers desperate to exploit anything at all that can identify a user across sites and Apple.
 
  • Like
Reactions: CarlJ

PickUrPoison

macrumors 603
Sep 12, 2017
6,008
7,320
Sunnyvale, CA
...but never told anyone of the issue nevertheless
The link was in the article—and my post you replied to:


Publicly posted 6 weeks ago
 
  • Like
Reactions: Ex2bot and CarlJ

crawfish963

macrumors 6502a
Apr 16, 2010
560
409
Texas
Hoping Apple has already released a patch for this, and if not, I hope they do soon. I'm starting to switch to Firefox anyways though. The level of privacy and extension support is phenomenal.
I've been using Brave for a week and I really like it so far. Chrome-like speed with none of the privacy losses.
 

wowotoe

macrumors member
Jun 25, 2007
97
64
Google researchers: Safari has several flaws to let people be tracked
Google CEO to employees: We want to track everything! And don't stop eavesdropping thru Google mini
 
  • Like
Reactions: ErikGrim and CarlJ

nickdalzell1

macrumors 6502a
Dec 8, 2019
557
217
Joke's on them. Not only have I in advance installed multiple extensions to ensure privacy (and ad blocking as well), but have configured my router to block any and all known domains that could ever breach this 'intelligent' feature. I'm not one of the dumb majority most seem content to program apps for these days. I'm the fool who actually read the manuals of each and every PC and IT product I've owned. Let Natural Selection take its course I say. Weed out the stupid, so maybe some better UI design might happen again. Stop the dumbing down. People will be less inclined to get smart if everyone caters to the stupid (I feel no sympathy for anyone who blindly trusts any company re: privacy)
 
  • Like
Reactions: rgbrock1

mi7chy

macrumors 603
Oct 24, 2014
6,141
7,135
Well it was a pretty long article I guess. For those who didn’t bother reading to the end:

“Apple appears to have addressed these Safari security flaws in a December update, based on a release update that thanked Google for its ‘responsible disclosure practice....’ ”

🙄
Guess you didn't read what "responsible disclosure" is.
 

femike

macrumors 6502
Oct 15, 2011
433
686
When any corporation praise themselves (or don't) about security, it's common sense to wary of that and take it with a grain salt. Also security to them may be differ from what security means to you.
 

coolfactor

macrumors 601
Jul 29, 2002
4,527
4,406
Vancouver, BC
There will always be ways to fingerprint you, especially if you use a minority browser like Safari. They do the best they can.
Minority browser?

You realize that Safari is the primary browser across iOS devices, right? That's millions and millions of users.

Chrome was formed from the Webkit foundation. The Chromium engine is at the heart of many browsers, including the new Microsoft Edge browser. So, in a way, all modern browsers are an offshoot of Safari in some form.
- - Post merged: - -

While I admire Apple's stance on privacy, their software quality control has sunken to all-time lows and that's why they'll continue to have security flaws. The two worst security flaws I've ever seen in the industry came from Apple - remember the one when you just typed a carriage return in response to entering the root user password and you got in, and then there was the one where upon mis-entering your password 3 times it asked you if you wanted your hint and when you said yes it returned your actual password instead...
Let's not mix up security with privacy. Two different things. Intelligent Tracking Prevention is a *new* technology still in its infancy, trying to tackle an ever-changing onslaught of advertisers trying to find ways to circumvent browser restrictions. There will never be a "perfect" version forever. It's an ever-changing landscape.

So, knock on Apple all you want, it carries little weight in the big picture. They are doing an exceptional job given the enormous task that they face.