Google (GOOG) and other online advertising companies subverted privacy settings in Apple’s (AAPL) mobile and desktop Web browser, installing small bits of code meant to track users that Safari normally refuses to accept, according to a report Thursday night.

A Stanford researcher discovered that Google’s “+1” button coding, used on ads the Mountain View company provides across the Web, was able to place an unlimited number of so-called cookies in users’ browsers using a workaround code that is well-known in engineering circles. The Wall Street Journal independently verified that the code was present in Google’s ads and was successful at tracking users.

Safari’s default security settings do not allow advertising suppliers to transmit cookies, the small bits of data that allow websites to identify certain users as they surf the Web. Google, which uses its “+1” button to allow users to identify ads or ad content they like on the Google+ social network, successfully placed cookies on Safari from 22 of the Web’s top 100 sites on a Mac and 23 sites on an iPhone, according to testing by a Journal technical adviser.

Google removed the code, originally discovered in its ads by Stanford researcher Jonathan Mayer, after questions from the Journal, the newspaper reported. An Apple official told the Journal that the Cupertino company was “working to put a stop” to the practice.

Rachel Whetstone, Google’s senior vice president of communications and public policy, said in an emailed statement “The Journal mischaracterizes what happened and why. We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information.”

The code in advertising tricked Safari into believing that a Web surfer was submitting a form to Google, allowing the company to place cookies into a user’s browser and identify them across the Web. Whetstone’s statement called the code “a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google.”

While the cookies reportedly expired in 12 to 24 hours, the loophole in Safari allows a company to place unlimited cookies once it has placed one, giving Google the ability to track some users continually. “We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers,” Whetstone wrote.

Three other online advertising companies were found to be using the code as well, according to the Journal: Vibrant Media, WPP’s Media Innovation Group and Gannett’s PointRoll. However, those three combined cannot match Google’s market share in the online advertising business. Google brought in more than 51 percent of the mobile advertising market’s $1.45 billion haul in 2011, eMarketer reported earlier this year, and was behind only Facebook and Yahoo (YHOO) in display advertising market share, with 9.3 percent.

Advertising that successfully placed cookies in users’ browsers appeared on sites including online-dating hub Match.com, AOL.com, AT&T’s YellowPages.com and even the Journal’s own website, WSJ.com, the newspaper reported.

“We were unaware this was happening on WSJ.com and are looking into it further,” a Journal spokeswoman said.

“We were not aware of this behavior,” AT&T spokesman Michael Balmoris told the Journal. “We would never condone it.”

Facebook also uses the code in some of its apps and games, the Journal reported, and a page Facebook provides for app developers links to a blog post that helped popularize the workaround with engineers, posted two years ago by an Indian Web developer named Anant Garg.

Contact Jeremy C. Owens at 408-920-5876; follow him at Twitter.com/mercbizbreak.