A report from the Wall Street Journal suggests that Google has been bypassing the privacy settings of millions of Safari users by installing cookies that could track the browsing habits of people—even if they thought they had blocked them.
The WSJ explains how Google has developed code that installs cookies on a users' device—without their permission—from adverts contained in web pages. Once installed, however, those cookies have potentially allowed Google to track browsing across the majority of websites.
Research by the WSJ showed that the code was present in adverts on Fandango.com, Match.com, AOL.com, TMZ.com and UrbanDictionary.com, among others, and that it worked on both desktop and mobile versions of Safari.
In a statement, Google told the WSJ:
"The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."
However, since the WSJ informed Google that it was aware of the practice, Google has disabled the feature on their servers. An Apple representative has said that the company is "working to put a stop" to the privacy invasion.
The code in question stems from the development of Google+, being developed to skirt the way Safari blocked an original implementation of the "+1" button on third-party websites. Instead of directly using cookies, which Safari doesn't allow without user consent, the code made Safari think that a person was submitting an invisible form to Google. Sneaky. Then, Google had free reign to add cookies—and track a user's browsing—without the user ever knowing.
It's an old exploit, first dug up back in 2010 by Anant Garg. Which means that while Apple may well be working on a stop now, they certainly havent been in any rush these last two years. Which is a shame, and puts more than a little blame in its court for leaving gate unlocked.