backtop


Print 35 comment(s) - last by watcha10.. on Feb 23 at 11:56 AM


  (Source: blogspot.com)
Google was also able to bypass privacy settings on mobile Safari, which normally blocks cookies as well

Google was recently caught bypassing user privacy settings on Apple's browser, Safari, and also on Microsoft's Internet Explorer. But Google claims that it was just trying to get its +1 buttons to work on Safari, and that Internet Explorer's cookie policy was "widely non-operational."

The Wall Street Journal recently outed Google for finding a way to bypass default privacy settings and place ad-tracking cookies on Safari users. These third-party cookies are used to track what users are doing on the Internet, which in turn helps Web giants like Google target users with suitable advertisements.

Google was able to successfully get past Safari's browser settings for privacy, which attempts to block certain types of cookies. Safari accepts first-party cookies (the Web site the user is on) or second-party cookies (the user's browser), but blocks third-party cookies, which links the browser to an entirely different Web site. The mobile version of Safari, which can be found on iOS devices, has the ability to block all cookies or none at all. 

Despite a user's privacy settings, Google and ad networks from Vibrant Media, PointRoll and Media Innovation Group were able to bypass this. They did so by making it look like the user visiting a Web site filled out a form of some sort (even if no form was presented to the user) and the companies would then get their cookies accepted. Google was also tracking user activity on the mobile version of Safari, meaning that iPhone, iPad and iPod touch users were being watched as well.

After The Wall Street Journal broke the story, Microsoft's Windows Internet Explorer Engineering Team wondered if Google was doing the same thing to Internet Explorer's users. As it turns out, it was.

"We've found that Google bypasses the P3P Privacy Protection feature in IE," said the Windows Internet Explorer Engineering Team Blog. "The result is similar to the recent reports of Google's circumvention of privacy protections in Apple's Safari Web browser, even though the actual bypass mechanism Google uses is different.

"By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site's use does not include tracking the user. Google's P3P policy causes Internet Explorer to accept Google's cookies even though the policy does not state Google's intent."

Microsoft suggested that users utilize the Tracking Protection feature in Internet Explorer 9, which doesn't allow Google to bypass security settings.

Google defended itself against the claims, saying that it never intended to track users on Safari or Internet Explorer. As far as Safari goes, it was just trying to get its +1 buttons to work. Browsers like FireFox, Chrome and Internet Explorer don't block third-party cookies by default, but Safari does. Therefore, Google bypassed the privacy settings to allow its +1 buttons on advertisements to be distributed through the AdSense network to other sites. Google also said it wasn't tracking iPhones, just what some people are doing in the Safari browser.

On the Internet Explorer side of things, Google argued that Internet Explorer's P3P cookie technology is "widely non-operational." Google also mentioned Facebook and Amazon's use of P3P bypass, and that P3P doesn't support Google's modern Web services. The P3P standard is now out of date, said Google.

"Microsoft omitted important information from its blog post today," said Google. "Microsoft uses a 'self-declaration' protocol (known as P3P) dating from 2002 under which Microsoft asks websites to represent their privacy practices in machine-readable form. It is well known -- including by Microsoft -- that it is impractical to comply with Microsoft's request while providing modern web functionality. We have been open about our approach, as have many other websites."

Sources: Windows Internet Explorer Engineering Team Blog, Marketing Land, The Verge



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Uh
By sprockkets on 2/21/2012 6:54:21 PM , Rating: 4
You need to read up on this Tiffany.

https://bugs.webkit.org/show_bug.cgi?id=35824

Bug/Feature request regarding problem with Safari being too restrictive on 3rd party cookies

And this for the IE "debacle"

http://bits.blogs.nytimes.com/2010/09/17/a-loophol...

Article on the uselessness of IE's 3rd party cookie guard, posted months ago. MS didn't seem to care then.

http://support.google.com/accounts/bin/answer.py?h...




RE: Uh
By sprockkets on 2/21/2012 6:57:49 PM , Rating: 2
RE: Uh
By rs2 on 2/21/2012 9:10:27 PM , Rating: 2
And moreover, it's not the job of the website to enforce or respect the browser's cookie settings. It's the job of the browser to enforce its cookie policies. If the browser does this incorrectly or insecurely, it's not the website operator's fault.

Google's position is correct. They did nothing wrong. Blame the browser implementors if you think something wrong has been done.


RE: Uh
By Strunf on 2/22/2012 7:47:17 AM , Rating: 4
That's bull... it's like saying that it's not the the hacker fault when it hacks a site but the website administrator for not making 100% safe.

The fact is that Google bypassed a security feature, that this security is "outdated" or not is besides the point!

The P3P is a web standard it is not a MS feature, if your website says that it complies with P3P it must complies with P3P, it's in no way any different than if you set your browser to not accept any cookie and a website finds a way to still do it...

In a day and age where any of your information is worth something, Google and others will do whatever they can to bypass your restrictions!


RE: Uh
By quiksilvr on 2/22/2012 8:27:16 AM , Rating: 1
That is an over the top analogy. That's like saying slapping someone in the face = running over with car.

A better analogy would be being able to log in with someone else's username and being able to log in without the need for a password. That's not hacking. That's a crazy security hole, which is what this is.


RE: Uh
By nafhan on 2/22/2012 9:58:24 AM , Rating: 3
Apple may have a point in regards to bypassing Safari's cookie blocking, but:
--P3P is a web standard that's all but been abandoned as unworkable
--MS is the only browser vendor to currently implement it
--most major websites bypass it

To me, it sounds like MS is jumping on the anti-Google bandwagon. Really, the de facto "standard" in regards to P3P is to ignore it altogether, which is what Google is doing. Remember, too, web standards are effectively more like guidelines than legal documents.

In regards to this:
quote:
That's bull... it's like saying that it's not the the hacker fault when it hacks a site but the website administrator for not making 100% safe.
A "hacker" will always be at fault for his actions, but an admin who leaves an obvious opening or flaw will probably lose his job - or worse.


RE: Uh
By Strunf on 2/22/2012 11:42:33 AM , Rating: 3
Only Google is not ignoring it... if they wanted to ignore it they could make the web page without the P3P key, they are in fact exploiting a bug. They do this cause IE unlike any other web browser blocks 3rd party cookies that do not have a certificate, in other words it doesn't fit on their modus operandi of getting as much information out of you as possible.

Webstandars are guidelines? sure but I for one want the standards enforced, I don't have any problem if the standard keeps "evolving" or that some browser don't support it, but if I make a xtml 1.1 page I sure hope it will be the same on every browser that supports it.


RE: Uh
By nafhan on 2/22/2012 12:36:21 PM , Rating: 3
They're ignoring the intent of an outdated and generally un-utilized privacy setting that's only present on IE, and Google's not the only one ignoring it. FB, Amazon, and others are ignoring it as well.


RE: Uh
By watcha10 on 2/23/2012 11:56:09 AM , Rating: 2
Yep, I agree


RE: Uh
By JediJeb on 2/22/2012 3:55:16 PM , Rating: 2
quote:
Remember, too, web standards are effectively more like guidelines than legal documents.


I invoke the right of Parlay against those who bypass my privacy settings.


RE: Uh
By sigmatau on 2/21/2012 10:11:24 PM , Rating: 2
What about Firefox and Opera? Same thing?


RE: Uh
By The Raven on 2/22/2012 11:30:49 AM , Rating: 2
I think this is more about evil Google attacking simpletons using default browsers. Anyone using FF, Opera or any 3rd party browser probably knows how to manage cookies and possibly use noscript, etc. I mean this article probably doesn't have anything to do with the vast majority of DT readers.


RE: Uh
By tayb on 2/21/12, Rating: -1
RE: Uh
By sprockkets on 2/21/2012 10:51:35 PM , Rating: 2
That "bug" is a feature request which is what allowed more cookies to be set than usual. You can't blame Google for that.

Further, two Google engineers submitted on AUG 11, 2011 , a patch to fix safari/webkit so this wouldn't happen.

http://trac.webkit.org/changeset/92142

But if you still want to blame Google, go ahead. We know some people have to.


Judging the significance
By Tony Swash on 2/22/2012 7:41:42 AM , Rating: 1
I know one can get too paranoid and see too much pattern and intent in a simple fuck up, I am not generally a conspiracy theorist, but episodes like this one with Google circumventing user privacy settings can reflect deeper truths about a company's core dynamic. I do think this episode reveals something about Google and privacy and what the core dynamic of Google's business is, about what drives Google. I don't mean what are it's professed ideals but rather what are the central dynamics and drives of its core business model. ??

The way Google makes money, the only way it makes money, it's almost sole source of income, is to sell advertising. And Google can sell that advertising because it offers the buyers of the advertising the very special added benefit of targeting that advertising, of putting ads before people that are cleverly and effectively tailored to match the interests and concerns of the individual viewer. And Google does that by watching and recording what people do on the internet, what they search for, what they watch, what they write and read in their emails, who they network with, what they buy, etc and then Google records and stores that behaviour at the level of the individual so it can be interrogated by Google's advertising distribution algorithms. Being able to watch what people do and record it at the level of an individual is absolutely central to the very core of Google's corporate identity. That is why there are so many Google offerings trying to tempt people into declaring themselves and making their identity known to Google in some way.??

Without being able to watch and record what people do Google no longer has a product to sell. This means that Google will always view areas of activity on the internet which it cannot record and inspect as a threat, to be broken into or routed around. This is not about ethics or the simplistic and somewhat childish notions of good and bad, it is about basic business logic. For Google opening up, inspecting, and recording information and behaviour is really just one big technical problem and all Google thinks it wants to do with this information is just make things better for the user, to make the search results and the advertising that each of us sees, more relevant. So the drive to overcome hurdles and to breach obstacles to the collection of user data is hardwired deep into Google's DNA.??

Google has to be able to watch enough of us enough of the time so that the adverts it places are accurately tailored to each of us. Then it has a product it can sell. If it cannot watch and record at the level of individuals Google has no business and nothing to sell. If it cannot access a high proportion of the users and activities on the internet then it's product is devalued.

Whether any of this bother one is a personal issue, some care some don't. But it is wrong to view episodes such as the Google Safari/IE privacy breach as somehow anomalous.??

Remember: if the product is free, You are the product.




RE: Judging the significance
By SkullOne on 2/22/2012 10:56:24 AM , Rating: 2
I love how you ignore the facts all the time Tony. Then again facts always make Apple look rotten.

How are they purposely circumventing? Is it Google's fault that Webkit purposely relaxed 3rd party cookie policies back in March 2010? Is it Google's fault that Webkit and Safari didn't implement the fix for this that was submitted in August, 2011 by Google developers? Please explain that too.

Firefox and Chrome both explicitly block 3rd party cookies no questions asked so this "loophole" doesn't exist. Why does IE and Safari not do the same?


RE: Judging the significance
By The Raven on 2/22/2012 11:32:54 AM , Rating: 2
Actually they ask you by default if I am not mistaken. Better than default block IMHO


RE: Judging the significance
By Tony Swash on 2/22/2012 12:18:02 PM , Rating: 2
I believe that Google also exploited a loop hole in IE which doesn't use webkit.

Who is more guilty, the person who leaves their window open or the burglar who climbs in?

Obviously a tough call for some:)


RE: Judging the significance
By SkullOne on 2/22/2012 12:48:14 PM , Rating: 2
You still ignore the facts that were posted earlier in the thread so I'll post the URL again and pay attention to the date. IE has had this known issue since well...forever and they chose to ignore it. So it's Microsoft's fault.

http://bits.blogs.nytimes.com/2010/09/17/a-loophol...

You also (conveniently) didn't answer my question though. If Firefox and Chrome explicitly block 3rd party cookies no questions asked why do IE and Safari not do the same? That takes the issue and points is squarely at the web browsers, not at Google or the other websites out there that use this "loophole".


RE: Judging the significance
By Tony Swash on 2/22/2012 3:13:37 PM , Rating: 2
So I guess your answer is that the burglar is less guilty than the guy who leaves his window open.

Odd call in my opinion.


RE: Judging the significance
By SkullOne on 2/22/2012 3:40:49 PM , Rating: 2
lulz

I love how you can never answer a simple question when the answer makes your precious Apple look rotten. Especially when Webkit did this to themselves by relaxing the policies in March 2010 and didn't bother implementing the fix submitted by Google developers back in August 2011.


RE: Judging the significance
By Tony Swash on 2/22/2012 5:11:25 PM , Rating: 2
quote:
Especially when Webkit did this to themselves by relaxing the policies in March 2010 and didn't bother implementing the fix submitted by Google developers back in August 2011.


So Googles response was to exploit the hole. Nice. I blame the burglar not the victim no matter how careless they are. You obviously do the opposite.


RE: Judging the significance
By SkullOne on 2/23/2012 9:17:15 AM , Rating: 2
What about the fact that Microsoft's own support page recommended people do exactly what Google is doing? Which is also what Microsoft's site does, as does Facebook.

The only reason Microsoft came out with this information was to jump on the "I hate Google" bandwagon and make Google look bad. Instead all it's done is show that IE is still outdated and insecure as is Safari.

Why can't you ever lay blame where it belongs?


RE: Judging the significance
By sprockkets on 2/22/2012 12:05:24 PM , Rating: 2
quote:
I am not generally a conspiracy theorist...


Ahahahahahaha!!!


I find it funny
By dvinnen on 2/21/2012 7:34:21 PM , Rating: 4
I find it funny that this article has a +1 Google icon on it.




RE: I find it funny
By Devenish on 2/22/2012 12:54:44 AM , Rating: 2
I find it even more funny that no one ever uses +1, but many websites bought into the hype and rushed to put on their page.

At this moment I look up and see "0" clicks, maybe Google should just rename it "+null".


RE: I find it funny
By JediJeb on 2/22/2012 4:01:06 PM , Rating: 2
No +1 showing up on my browser :)


No Suprise
By MechanicalTechie on 2/21/2012 6:00:25 PM , Rating: 2
Another day and another large IT company taking the piss and exploiting its users... so lame!




RE: No Suprise
By BZDTemp on 2/22/2012 3:56:39 AM , Rating: 5
Another day and some ill informed git writes a rant inflaming those that can not think for them self.... so lame!


Not much of a privacy setting..
By masamasa on 2/22/2012 11:04:12 AM , Rating: 2
...if it can be that easily bypassed.

"We've found that Google bypasses the P3P Privacy Protection feature in IE," said the Windows Internet Explorer Engineering Team Blog.

Just the spewing of more crap as Google continues to steal market share from Microsoft and Apple. Whoop dee doo.




RE: Not much of a privacy setting..
By messele on 2/23/2012 2:06:17 AM , Rating: 2
Market share of what? Tracking, spying and consequently sharing private information and dishing unwanted advertising to people?

They are welcome to it.


Google
By bkrharold on 2/22/2012 4:46:30 PM , Rating: 2
Google is evil




RE: Google
By rcc on 2/22/2012 4:58:29 PM , Rating: 2
Only evil light...

Or quasi evil.


Privacy concerns? Google?
By tayb on 2/21/2012 6:00:19 PM , Rating: 3
What? I thought Google scanned my emails so they could send me better emails. And they track my internets so they can send me better internets.




Safari and IE= Exploitable
By Black1969ta on 2/21/2012 7:32:47 PM , Rating: 2
Safari and IE are equally exploitable, Jobs would be rolling in his grave!!!

But seriously, what about Opera and Firefox? do they have this vulnerability also?

If Google can do this, what about a malware creator.




"It's okay. The scenarios aren't that clear. But it's good looking. [Steve Jobs] does good design, and [the iPad] is absolutely a good example of that." -- Bill Gates on the Apple iPad














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki