Linked by Thom Holwerda on Fri 17th Feb 2012 15:36 UTC, submitted by bowkota
Privacy, Security, Encryption Well, paint me red and call me a girl scout: Facebook, Google, and several other advertising networks are using a loophole to make sure third party cookies could still be installed on Safari and Mobile Safari, even though those two browsers technically shouldn't allow such cookies. Google has already ceased the practice, and in fact, closed the loophole in WebKit itself months ago.
Thread beginning with comment 507927
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Apple is the issue
by Tony Swash on Mon 20th Feb 2012 22:39 UTC in reply to "Apple is the issue"
Tony Swash
Member since:

Google the others did nothing wrong. Apple has been riding high on this, "We're Safer than everyone else" bus, that they can no longer create a secure product.

They left the loop hole available, and now the fanboys are going to blame everyone else? Whatever... Just shows how Apple has truly given up on Security.

Looks like Google has also systematically and secretly bypassing Internet Explorer as well so your 'it's all Apple's fault' idea doesn't work.

An excerpt from the report

Microsoft's Corporate VP for Internet Explorer, Dean Hachamovitch, made allegations Monday that Google was bypassing Internet Explorer's privacy settings, not just Safari's measures. After checks, he claimed that Google's cookie text files, meant to allow +1 actions for those who were signed into Google, were skirting the P3P Privacy Protection standard as it was implemented in Internet Explorer 9. The technique supposedly made IE9 take third-party cookies that it would block by default while keeping the action a secret.

To honor P3P, Google was supposed to send a set of policy tokens indicating how the cookie's information would be shared. Google was supposedly exploiting a P3P clause that skipped users' preferences if the policies weren't defined. Any browser that used P3P interpreted the message that the token was "not a P3P policy" as a sign to allow the cookie, letting Google have its intended +1 effect but also possibly allowing third-party ads despite the usual blocking settings.

The executive implied this wasn't just a casual trick, since Google would have had to use "technically skilled" staff with "special tools" to see the P3P descriptions.

At some point Google saying 'oops - a mistake - we are sorry' is going to wear a bit thin.

Reply Parent Score: 2