Google exploits Safari bug to plant cookies, says it’s “known functionality”

The applications you use on a daily basis have user preferences for a reason: to give you control over how they behave. Unfortunately, not everyone has the scruples to respect your settings. Google, for example, seemed to think it was oK to sidestep cookie blocking in Safari on OS X and iOS

Google’s misstep was unearthed by Jonathan Mayer, a security researcher at Stanford University. You might remember Mayer from a previous cookie-related incident .It was he who called out Microsoft for their use of an un-deletable super cookie on last summer.

According to Mayer, Google was utilizing a Safari exploit that had been discovered two years ago.Developer Anant Garg found that a cookie that normally wouldn’t be saved could be written by utilizing a blank form submitted silently in the background as a page loads. The necessary code is very minimal, requiring just over two dozen lines to trick Safari into accepting the cookie.

So what does Google have to say about all this? Only that The Wall Street Journal “mischaracterized what is happening and why.” Google stressed that the cookies didn’t collect any personal information and were only sent to users that had previously signed in to their Google account in Safari.

But the statement from Mountain View also calls what was done as using known Safari functionality. That’s an interesting assertion and it paints quite a rosy picture of leveraging a cross-domain cookie exploit in order to circumvent a user’s on-device preferences.

Google now says that they’ve put a stop to the practice, but this is yet another black mark on the company’s privacy record. Microsoft, of course, leapt at the opportunity to cry foul. IE lead Ryan Gavin quickly penned a post reminding folks that Microsoft’s latest and greatest browser respects your privacy and that you can lean on IE9 for protection if Google’s practices have ruffled your feathers.



Post a Comment