Linked by Thom Holwerda on Fri 17th Feb 2012 15:36 UTC, submitted by bowkota
Privacy, Security, Encryption Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn't allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago.
Thread beginning with comment 507640
To read all comments associated with this story, please click here.
Apple is the issue
by SojoPhoto on Fri 17th Feb 2012 19:24 UTC
SojoPhoto
Member since:
2011-12-08

Google the others did nothing wrong. Apple has been riding high on this, "We're Safer than everyone else" bus, that they can no longer create a secure product.

They left the loop hole available, and now the fanboys are going to blame everyone else? Whatever... Just shows how Apple has truly given up on Security.

Reply Score: -2

RE: Apple is the issue
by jackeebleu on Sat 18th Feb 2012 04:21 in reply to "Apple is the issue"
jackeebleu Member since:
2006-01-26

Wait, so it's Apple's fault that Google and FB purposely and willfully circumvented controls in Safari and said "F U" to the millions of Safari users privacy concerns so that they could continue to make money? Really?

So I guess if someone breaks into your home, by circumventing your alarm/locking mechanism, eats your food, cooks in your kitchen, and rapes your mom....its your fault for having circumventable locks...right?

Reply Parent Score: 3

RE[2]: Apple is the issue
by Neolander on Sat 18th Feb 2012 07:49 in reply to "RE: Apple is the issue"
Neolander Member since:
2010-03-08

Actually, everyone is guilty ;)

Apple are guilty of keeping a known security hole in their browser opened for 7 months after it is fixed in the source. To follow your analogy : if you leave the key to your house under the doormat and your neighbour has publicly poked fun at the fact when he found out months ago, you should expect someone to break in and make copies of the embarrassing photos under your mattress at some point*.

Google and Facebook are guilty of violating standard security practices by not informing Apple in a direct way and giving them some time to fix the hole before beginning to exploit it. This kind of hacker ethics does not translate well to real-life situations, but it is the way things work in the realm of computer security.

* It seems we do not have the same view of what kind of offense online privacy violation represents.

Edited 2012-02-18 08:08 UTC

Reply Parent Score: 2

RE[2]: Apple is the issue
by darknexus on Sat 18th Feb 2012 18:37 in reply to "RE: Apple is the issue"
darknexus Member since:
2008-07-15

Wait, so it's Apple's fault that Google and FB purposely and willfully circumvented controls in Safari and said "F U" to the millions of Safari users privacy concerns so that they could continue to make money? Really?


No, but it is Apple's fault that this security hole still exists in Safari when it has been fixed in the Webkit source months ago. They're all pricks: Google and Facebook for giving us the finger where our privacy is concerned (though surely people aren't actually surprised by that), and Apple for failing to keep their version of Webkit patched and in better sync with the current source tree. The real question is, now that this is out in the open, will Apple patch it promptly?

Reply Parent Score: 4

RE: Apple is the issue
by Tony Swash on Mon 20th Feb 2012 22:39 in reply to "Apple is the issue"
Tony Swash Member since:
2009-08-22

Google the others did nothing wrong. Apple has been riding high on this, "We're Safer than everyone else" bus, that they can no longer create a secure product.

They left the loop hole available, and now the fanboys are going to blame everyone else? Whatever... Just shows how Apple has truly given up on Security.


Looks like Google has also systematically and secretly bypassing Internet Explorer as well so your 'it's all Apple's fault' idea doesn't work.

http://www.electronista.com/articles/12/02/20/microsoft.tries.to.pr...

An excerpt from the report

Microsoft's Corporate VP for Internet Explorer, Dean Hachamovitch, made allegations Monday that Google was bypassing Internet Explorer's privacy settings, not just Safari's measures. After checks, he claimed that Google's cookie text files, meant to allow +1 actions for those who were signed into Google, were skirting the P3P Privacy Protection standard as it was implemented in Internet Explorer 9. The technique supposedly made IE9 take third-party cookies that it would block by default while keeping the action a secret.

To honor P3P, Google was supposed to send a set of policy tokens indicating how the cookie's information would be shared. Google was supposedly exploiting a P3P clause that skipped users' preferences if the policies weren't defined. Any browser that used P3P interpreted the message that the token was "not a P3P policy" as a sign to allow the cookie, letting Google have its intended +1 effect but also possibly allowing third-party ads despite the usual blocking settings.

The executive implied this wasn't just a casual trick, since Google would have had to use "technically skilled" staff with "special tools" to see the P3P descriptions.


At some point Google saying 'oops - a mistake - we are sorry' is going to wear a bit thin.

Reply Parent Score: 2