Flaws Remain in Safari's Intelligent Tracking Protection
Arthur T Knackerbracket has found the following story:
Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple's WebKit team for the company's Safari browser.
In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.
But they're not quite fixed, according to Google's boffins. In a paper [PDF] titled, "Information Leaks via Safari's Intelligent Tracking Prevention," authors Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis claim that the proposed mitigations "will not address the underlying problem."
And on Wednesday, Justin Schuh, Google engineering director for Chrome security and privacy, made a similar claim via Twitter. Google, he said, had found similar security flaws in a Chrome tool called XSS Auditor and had decided they were fundamentally unfixable.
"After several back and forths with the team that discovered the issue, we determined that it was inherent to the design and had to remove the code," he explained.
-- submitted from IRC
Read more of this story at SoylentNews.