These flaws could have helped third-party vendors track users' browsing habits. According to a report in the Financial Times which cited a soon-to-be-published paper from Google's 'Project Zero' team, the vulnerabilities were found in an anti-tracking feature known as 'Intelligent Tracking Prevention'.Once disclosed by Google researchers to Apple in August last year, the Cupertino-based iPhone maker immediately patched the flaws. Apple launched the 'Intelligent Tracking Prevention' tool in 2017 to, in fact, protect Safari users from being tracked around the web by advertisers and other third-party cookies.
According to Google researchers, the vulnerabilities left personal data of Safari users exposed. They also found a flaw that allowed hackers to "create a persistent fingerprint that will follow the user around the web". Apple confirmed it patched the issues. This is the third time Google researchers have found flaws in the Apple ecosystem. In September, Apple slammed Google for creating a false impression about its iPhones being at hacking risk owing to security flaws that allegedly let several malicious websites break into its iOS operating system.
Researchers at 'Project Zero' team had discovered several hacked websites that allegedly used security flaws in iPhones to attack users who visited these websites -- compromising their personal files, messages, and real-time location data. In a statement, Apple said the so-called sophisticated attack was narrowly focused, not a broad-based exploit of iPhones "en masse" as described. According to Google, the websites delivered their malware indiscriminately and were operational for years.
According to the iPhone maker, "all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not "two years" as Google implies. Google researchers also said they identified a vulnerability that accessed all the database files on the victim''s iPhone used by end-to-end encryption apps like WhatsApp, Telegram and iMessage.
Apple said that it fixed the vulnerabilities in question -- working extremely quickly to resolve the issue just 10 days after it learnt about it. In July last year, the 'Project Zero' team found six critical flaws in Apple iMessage that can compromise the user's phone without even interacting with them. These security vulnerabilities fell into the 'interactionless' category.
Two members of 'Project Zero', Google's elite bug-hunting team, published details and demo proof-of-concept code for five of six 'interactionless' security bugs that impact the iOS operating system and can be exploited via the iMessage client. All the six security bugs were patched with the iPhone maker's iOS 12.4 release.
*Edited from an IANS report