iOS Safari Share Sheet causes potential privacy issue, as it tells website owner when content is shared
| Originator: | KrauseFx | ||
| Number: | rdar://36841950 | Date Originated: | January 24 2018 |
| Status: | Open | Resolved: | |
| Product: | Safari | Product Version: | |
| Classification: | Reproducible: | Always |
Summary: As soon as the user hits the share button on mobile Safari, it automatically sends multiple requests to the server, to receive the apple-touch-icon.png logo for the home screen. This is all valid, however it does offer a potential way for website owners to track when their users share content using the Safari share sheet. By using a custom apple-touch-icon.png name for each user (append some kind of user ID), advertising companies could use that to track their users. I personally don't believe this is a high-impact issue, as the possibilities to abuse it are fairly limited. Steps to Reproduce: 1. Run a local web server with a simple HTML page 1. Open it on the iOS simulator and hit the share button 1. Look at the server logs and see the requests that were just received Expected Results: Actual Results: Version/Build: Configuration:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!