Disclosure: This post may contain affiliate links. This means that at no cost to you, we may earn a small commission for qualifying purchases.
Premium user security is one of the main selling points for all Apple products. The Cupertino based tech giant is always stressing the fact that the internet is not always a safe place and this is why it is using encryption and anti-tracking software. Well, a new report is showing us that Apple’s security system is not as secure as Apple would like us to believe. The report was published Wednesday by a group of Google security engineers and it highlights a handful of flaws in Safari.
Google Security Engineers Discover Safari Security Flaws
According to the report released by the Google security engineers, there is a set of flaws in the software of Safari that is allowing potential hackers to view the browsing history of users. Not just that, but the potential hackers could also access the search history. If you think that this isn’t scary enough, then you should know that the security engineers have managed to provide that Safari’s anti-tracking software actually permits malicious software to track the user’s internet behavior.
The Security Report
“When Safari notices a website sending a cross-site resource request, it increases an internal counter for the domain from which the resource is loaded (referred to as an ITP strike throughout this report). Once a given domain has accumulated enough ITP strikes, it is categorized by Safari as a prevalent domain. Details of the classification logic evolve and are beyond the scope of this document; in our testing, being used in a third-party context by 3 other domains was consistently sufficient for Safari to designate a domain as prevalent,” says the report.
“The prevalent domain list (referred to as the ITP list below) is stored at the granularity of registrable domains; specifically, Safari stores the eTLD+1, accounting for the Public Suffix List. When Safari makes a cross-site request to a prevalent domain, it applies privacy restrictions to remove information that would allow that domain to infer the user’s identity and cross-link it with third-party requests from other websites. It does so by removing cookies and truncating the Referer header to include only the referring document’s origin instead of its full URL,” added Google’s security engineers.