Cupertino's browser is supposed to protect users' browsing from tracking risk but, according to Google, some flaws favor hackers
If you think browsing the web with Safari guarantees your privacy, because Safari famously integrates a feature that prevents sites from tracking user behavior, then you're wrong: that very feature can be used to collect information about you. Google discovered this.
The feature in question is "Intelligent Tracking Prevention," better known as ITP, and it uses artificial intelligence to "learn" which websites to authorize for tracking and which ones not. It's been used since 2017 and has been one of Safari's prides ever since but, now, its reputation (and that of Safari itself) can only be severely weakened. Google, in fact, has discovered that just by exploiting a flaw in the ITP system it is possible to collect a lot of information about the user's navigation, it is possible to read his history of visited sites and, ultimately, to track the user's passage from one site to another.
Cross-site tracking
One of the most effective ways to make the information collected about a Web user profitable is the so-called "cross-site" tracking, which consists in following the user's "zapping" between sites in order to offer him the same banner ads. If you've wondered why you see the same ads on all sites, it's also because of this technology. Starting with iOS 11 and macOS High Sierra of 2017, for this, Apple introduced ITP technology that also prevents our tracking code from being swapped between sites. The blocking of cross-site tracking is active by default on Safari, it must be the user to disable it if he wants to.
The ITP problem
Now, however, Google explains that since ITP technology stores a list of information about the websites visited by the user, if a hacker manages to get hold of this list he has hit the jackpot: he will find even more information in it than he would get using cross-site tracking. Google, moreover, has shown that it is possible to get this information with at least 5 different types of attacks.
All fixed?
Google, after discovering this flaw, warned Apple to fix it. John Wilander, an Apple engineer who leads the ITP development team, said that all issues had been resolved by December 2019. A few days ago, however, the engineer in charge of Chrome's security Justin Schuh stated on Twitter that the issues in Safari are all still present.