If you’re a Safari user — either on a Mac, a Windows PC, or an iOS device — you may have told your browser to accept cookies only from the sites that you visit. The setting prevents outside sources from leaving cookies on your machine that you didn’t agree to.
For example, if you visit your favorite blog to read a story and you load up an iFrame with contents from another site, Safari will not save the cookie from the other site. However, some sites, such as Google and Facebook, have been using a sneaky little trick to circumvent this setting.
Google used an exploit that was first uncovered by developer Anant Garg back in 2010. It uses a blank form, sent in the background while you’re browsing the web, to “trick” Safari into accepting cookies from unauthorized sources.
Stanford researcher Jonathan Mayer first discovered the search giant was using this trick and reported his findings to The Wall Street Journal. Google has ceased using this workaround since it was contacted for comment, but it claims The Wall Street Journal’s report misrepresents the facts:
“The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”
But Google isn’t the only site that has been taking advantage of this exploit. The WSJ also found that Facebook and at least three other advertisers were also guilty. It’s no surprise, then, that Apple is planning to fix the flaw. A spokesman for the Cupertino company said:
“We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.”
Are you a Safari user, and if so, are you frustrated that sites like Google and Facebook were allowed to leave cookies without your permission?
[via The Verge]