
Apple’s privacy software allowed users to be tracked, says Google - boh
https://www.ft.com/content/916a766a-3d27-11ea-a01a-bae547046735
======
arkadiyt
Here's the arxiv paper this article is reporting on, it's a short 6 page read:

[https://arxiv.org/pdf/2001.07421.pdf](https://arxiv.org/pdf/2001.07421.pdf)

Basically Safari keeps track of which domains are being requested in a 3rd
party context (i.e. I load example.com in my browser and the page loads the
facebook sdk - Safari increments a counter for facebook by 1). Once a given
domain reaches 3 hits, Safari will strip cookies and some other data in 3rd
party requests to that domain.

The problem is that advertisers can use this to fingerprint users: register
arbitrary domains, make 3rd party requests to them, and detect whether or not
that request is having data stripped. Each domain is an additional "bit" of
data.

This is similar to "HSTS Cookies" [1] and also to issues with Chrome's XSS
auditor, which is why it was removed [2].

[1]: [https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-
bro...](https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-
dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/)

[2]:
[https://twitter.com/justinschuh/status/1220021377064849410](https://twitter.com/justinschuh/status/1220021377064849410)

~~~
dang
Since this comment was copied at
[https://news.ycombinator.com/item?id=22120593](https://news.ycombinator.com/item?id=22120593),
we haven't moved it.

------
neonate
[http://archive.md/lhUeF](http://archive.md/lhUeF)

------
hhs
If paywall is an issue, this also provides information:
[https://www.reuters.com/article/us-apple-privacy-
google/goog...](https://www.reuters.com/article/us-apple-privacy-
google/google-finds-security-flaws-in-apples-web-browser-ft-
idUSKBN1ZL2K9?il=0)

------
zepto
Says google whose entire business is built on tracking users.

