Sign in with
Sign up | Sign in

WSJ: Safari Loophole Allowed Google to Track Users via Ads

By - Source: WSJ | B 20 comments

Google and a number of other ad networks have been accused of tracking users web browsing by using a loophole to circumvent Safari's default security settings.

Over the last few weeks, Google's found itself at the receiving end of quite a bit of criticism regarding planned changes to its privacy policy. Now it seems the company is in hot water again. An article published in the Wall Street Journal has revealed that the search giant (along with several other ad networks) has been tracking iPhone and Mac users via Apple's Safari browser.

Here's what happened: Apple's Safari browser is set to block third-party cookies by default, accepting cookies only from sites that a user visits or interacts with. However, there is an exception to this rule that allows cookies if you interact with a form or advertisement in certain ways. The Journal reports that Google and other ad networks took advantage of this exception by using an invisible form and its +1 Google+ recommendation system. Essentially, Google allowed Safari users who had signed into Google+ to interact with DoubleClick ads using an embedded '+1' button. This would then send off an invisible form that would have Safari think the user had provided permission for cookies to be stored.

For its part, Google says that it used this workaround to enable signed-in users to give +1 votes to content, but was unaware that it inadvertently enabled the advertising cookies. The search giant has since disabled the feature. It said in a statement to Electronista that users who had opted out of its interest-based ad program (via Google's Ad Preferences Manager) were not affected by the work around. Check out the full statement below:

"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.

"Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content--such as the ability to “+1” things that interest them.

"To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous--effectively creating a barrier between their personal information and the web content they browse.

"However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.

"Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google’s Ads Preferences Manager."

Google wasn't the only one using this loophole. The code, which was discovered by Stanford researcher Jonathan Mayer, was also used by Media Innovation Group, PointRoll, and Vibrant Media. However, Google is the most high-profile of the listed offenders, and with recent discussions over the search giant's attitude to user privacy, it's hardly surprising that is receiving more attention than others over this.

[UPDATE] Well, it's all fun and games until someone phones the FTC, isn't it? Ars reports that Consumer Watchdog has asked the Federal Trade Commission to investigate this issue. Specifically, they want to know if Google has violated a previous agreement with the FTC by tracking cookies in this way.

Follow @JaneMcEntegart on Twitter for the latest news.      

Discuss
Display all 20 comments.
This thread is closed for comments
Top Comments
  • 17 Hide
    freggo , February 17, 2012 7:39 PM
    "but was unaware that it inadvertently enabled the advertising cookies"

    Yeah, right. Because Google employs 2nd tier programmers.
    Gimme a break. You got caught with your fingers in the cookie jar (pun intended).

    It seems that slowly but persistently Google is sliding down the slope of misconduct like every other corporation that grew too big to be held accountable.

    Shame, but certainly no surprise.
  • 11 Hide
    molo9000 , February 17, 2012 9:09 PM
    amk-aka-PhantomSafari has security settings?


    Firefox, Chrome, Opera and Internet Explorer all accept 3rd party cookies by default.
    Only Safari blocks them by default.

    btw: it should be called privacy settings, not security settings.
Other Comments
  • 0 Hide
    warezme , February 17, 2012 7:34 PM
    I hope the FTC slams all those mutha's. I'm tired of their lying sneaky ways they keep trying to steal your information or force feed you ads. If your org can't sustain itself without lying and cheating then maybe it wasn't meant to be. Just go out of business. The web was built to share information and not advertisements that track and steal.
  • 17 Hide
    freggo , February 17, 2012 7:39 PM
    "but was unaware that it inadvertently enabled the advertising cookies"

    Yeah, right. Because Google employs 2nd tier programmers.
    Gimme a break. You got caught with your fingers in the cookie jar (pun intended).

    It seems that slowly but persistently Google is sliding down the slope of misconduct like every other corporation that grew too big to be held accountable.

    Shame, but certainly no surprise.
  • 8 Hide
    rantoc , February 17, 2012 7:39 PM
    But but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*
  • 7 Hide
    molo9000 , February 17, 2012 7:44 PM
    "Don't be evil"
    "provide features"
    "privacy policy"

    George Orwell was right about newspeak...
  • 0 Hide
    dalethepcman , February 17, 2012 7:49 PM
    I find it sad that Google "gets in hot water" for a flaw in Apple's software. Then has to go back and fix their +1/ad sense programs, but still gets called out for being the bad guy.

    They should have said "we have reported this flaw to apple to be fixed in a future security update" and passed the buck to where it should have been.
  • 5 Hide
    amk-aka-Phantom , February 17, 2012 8:00 PM
    Quote:
    circumvent Safari's default security settings


    Safari has security settings?
  • 11 Hide
    molo9000 , February 17, 2012 9:09 PM
    amk-aka-PhantomSafari has security settings?


    Firefox, Chrome, Opera and Internet Explorer all accept 3rd party cookies by default.
    Only Safari blocks them by default.

    btw: it should be called privacy settings, not security settings.
  • 0 Hide
    glasssplinter , February 17, 2012 9:15 PM
    rantocBut but Apple products are impervious and patched quickly if anything is found... *trying to hold laughter*


    "Well, just a second there, professor. We, uh, we fixed the *glitch*. So he won't be receiving a paycheck anymore, so it'll just work itself out naturally." crapple philosophy 101
  • 4 Hide
    ap3x , February 17, 2012 9:43 PM
    dalethepcmanI find it sad that Google "gets in hot water" for a flaw in Apple's software. Then has to go back and fix their +1/ad sense programs, but still gets called out for being the bad guy.They should have said "we have reported this flaw to apple to be fixed in a future security update" and passed the buck to where it should have been.


    Google did not find it, and it is not a security problem. It is a privacy issue which Google used for the benefit to Google to get around measures in Safari to block the use of 3rd party cookies. All the other browsers have it enabled by default, Safari does not so Google decided to us a method to get around that.

    So no this is not a case where someone finds a vulnerability and gets in trouble for it. This is a case where a large company leverages a flaw to gleen additional information from a device without explicit permission from the user.

    It is the same thing as someone using a exploit in a browser to install Gator or something on your computer. No one wanted that crap on their machine but somehow it ended up getting installed and showing up next to your clock. Anyone remember Gator?
  • -1 Hide
    greenspoon , February 17, 2012 9:48 PM
    Come on guys. Google was doing this for the good of its users. That is all. They were not out to make money, invade privacy, or anything else. They just wanted to provide a better experience for there users.

    Apple on the other hand. This was a deliberate mistake on their part and everyone at Apple should be hung until dead for the oversight.
  • -1 Hide
    ap3x , February 17, 2012 10:20 PM
    greenspoonCome on guys. Google was doing this for the good of its users. That is all. They were not out to make money, invade privacy, or anything else. They just wanted to provide a better experience for there users.Apple on the other hand. This was a deliberate mistake on their part and everyone at Apple should be hung until dead for the oversight.


    lol, are you serious? For the good of it's users on IOS devices? Am I the only one that finds it interesting that your so understanding for Google and then you go to the extreme when talking about Apple. I mean come on "hung until dead"? seriously?
  • 6 Hide
    greenspoon , February 17, 2012 10:44 PM
    ap3xlol, are you serious? For the good of it's users on IOS devices? Am I the only one that finds it interesting that your so understanding for Google and then you go to the extreme when talking about Apple. I mean come on "hung until dead"? seriously?


    Ummm.... It is called sarcasm.
  • -1 Hide
    alidan , February 18, 2012 4:22 AM
    warezmeI hope the FTC slams all those mutha's. I'm tired of their lying sneaky ways they keep trying to steal your information or force feed you ads. If your org can't sustain itself without lying and cheating then maybe it wasn't meant to be. Just go out of business. The web was built to share information and not advertisements that track and steal.


    if those ads are what keep youtube free, my email free and with more than 10mb of storage space, and help allot of websites and video makers make money through allowing their ads, in large enough sums that popular places can make it a full time job... well i am PERFECTLY FINE with being shown ads.

    i WILL NEVER see why people have such a huge problem with ads.

  • -2 Hide
    cookoy , February 18, 2012 2:31 PM
    Curiously IE, FF and Chrome are not affected. Only safari. Is this poor programming or something more sinister?
  • 2 Hide
    ap3x , February 18, 2012 4:59 PM
    greenspoonUmmm.... It is called sarcasm.



    Ahh, my apologies. Guess I am used to seeing all kinds of really extreme comments on this site so it is hard to tell when someone is being sarcastic.
  • 3 Hide
    popatim , February 18, 2012 6:28 PM
    Quote:
    It said in a statement to Electronista that users who had opted out of its interest-based ad program (via Google's Ad Preferences Manager) were not affected by the work around.


    This proves that it was intention; why else would you code the workaround to not work on users that opted out...

    Not everyone is a moron Google. You're cold busted. Enjoy the lawsuits and fines.
  • 4 Hide
    Vladislaus , February 19, 2012 8:01 AM
    cookoyCuriously IE, FF and Chrome are not affected. Only safari. Is this poor programming or something more sinister?

    IE, Firefox and Chrome aren't affected because they accept third party cookies by default while Safari doesn't
  • 1 Hide
    del35 , February 19, 2012 1:36 PM
    Quote:
    I find it sad that Google "gets in hot water" for a flaw in Apple's software.


    You comment points light at how the MSM list of favored companies is rigged these days. Imagine Microsoft getting off that easily.

  • 1 Hide
    freggo , February 20, 2012 2:09 PM
    Talk about THG not even trying to filter the spam ads out.
    It's not that hard to do after all; especially for a top tech site.
    Shame.
  • 1 Hide
    eddieroolz , February 20, 2012 7:03 PM
    Pay hackers to secure your browser, but when you've got a information leak in a competitor's browser - just leap in and harvest data!

    Just like Google.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter