Julian Yap

Google Tracked Safari Users, Bypassing Apple Browser Privacy Settings

To get around Safari's default blocking, Google exploited a loophole in the browser's privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.

It should be noted that the default setting on Safari is to block cookies "from third parties and advertisers" unless a user interacts with the third party in some way. This is a perfectly fair default which increases the privacy for users and does not break any obvious web browsing functionality.

On mobile Safari (on the iPhone and iPad) a similar default is in place, albiet with a more cryptic wording. Theoretically, cookies from third parties and advertisers should be blocked in a similar manner as with desktop Safari.

Is it fair that Google purposefully circumvented these default privacy settings using a browser exploit? Definitely not.

Expect to see Apple to address this legitimate browser exploit in the next security updates to OS X and iOS.

UPDATE: Jonathan Mayer, the grad student at Stanford whose research brought this issue to the WSJ, has recently put up a "detailed post":http://webpolicy.org/2012/02/17/safari-trackers/ with further technical details.

16 FEBRUARY 2012 @ 11:34PM


Follow Me

Google+ RSS