Connect with us

Hi, what are you looking for?



Safari’s Intelligent Tracking Prevention Fails to Prevent Tracking

The privacy mechanism implemented by Apple’s Safari browser to prevent user tracking across websites is not efficient at protecting users’ privacy, Google security researchers have discovered.

The privacy mechanism implemented by Apple’s Safari browser to prevent user tracking across websites is not efficient at protecting users’ privacy, Google security researchers have discovered.

Called Intelligent Tracking Prevention (ITP), the system is meant to prevent websites commonly loaded in a third-party context from receiving identifiable information about the user. It works by creating a list of prevalent domains and applying privacy restrictions to cross-site requests for these domains.

In a recently published report (PDF), Google security researchers Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis explain that multiple security and privacy issues affecting ITP make the protection mechanism ineffective.

Safari’s protection works by increasing an internal counter for the domain from which the resource is loaded. Once the counter reaches a specific value, the site is added to the list of prevalent domains. Moving forth, when cross-site requests are made to prevalent domains, user-identifiable information is removed so that the user can’t be tracked.

“The ITP list is append-only, but it is cleared whenever the user clears their Safari browsing history; the entire list is wiped even if the user resets history for a short time period. Private Browsing Mode does not reuse the ITP list from the main browsing profile,” Google’s researchers explain.

They also explain that the use of an ITP list that is customizable to the user’s browsing patterns introduces into the browser a global state that can be detected by any document.

One of the identified issues, they argue, is that any site can increase the counter for an arbitrary domain via cross-site requests, thus having it added to the prevalent list. Through such requests, they say, a website can determine if a domain is on the list or not.

Advertisement. Scroll to continue reading.

“It is of course trivial to detect the ITP status of any domains under the attacker’s control: the attacker can directly issue cross-site requests from another domain and inspect them for the effects of applying ITP restrictions,” the report reads.

In their whitepaper, Google’s researchers describe five attack scenarios that underline the discovered weaknesses in Apple’s mechanism. Threat actors, they say, can identify domains on the ITP list, identify individual visited websites, create a persistent fingerprint via ITP pinning, force a domain onto the ITP list, or launch cross-site search attacks using ITP.

In December 2019, Apple rolled out patches for some of these issues — namely CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846 — on both desktop and mobile devices, with the release of Safari 13.0.4 and iOS 13.3.

Now, ITP truncates all cross-site request referrer headers to just the page’s origin; blocks all third-party requests from seeing their cookies unless the user has interacted with the first-party domain; and ensures that websites can’t set cookies as third-parties unless they set cookies as first-party, Apple notes.

Related: Apple Patches Over 50 Vulnerabilities in macOS Catalina

Related: Apple Received Tens of Thousands of Government Requests in H1 2019

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.