Google, Facebook and other advertising networks have been caught using a workaround to circumvent security settings on Apple's Safari and Safari Mobile browsers.
The workaround enables them to deposit cookies on a user's computer, regardless of whether the browser is set to prevent it.
By default, Safari is set to only accept cookies from directly visited sites, blocking cookies from all others.
It's thought that Google wanted to get around this because it interfered with its +1 recommendation system.
Security hole found back in 2010
The exploit used was first spotted in 2010 by developer Anant Garg, while Google's use of it was caught by Jonathan Mayer, a researcher at Stanford University.
Google has reportedly now ceased using the trick, but claims that the Wall Street Journal, which drew attention to the practice, was misrepresenting the facts.
Google said: "We used known Safari functionality to provide features that signed-in Google users had enabled. It's important to stress that these advertising cookies do not collect personal information."
The WSJ found that the exploit was also used by Facebook and at least three advertising networks. Google and Facebook use it mainly to avoid repeated log-in requests.
Meanwhile Apple said, "we are working to put a stop" to the practice.