The privacy mechanism implemented by Apple’s Safari browser to prevent user tracking across websites is not efficient at protecting users’ privacy, Google security researchers have discovered.
Called Intelligent Tracking Prevention (ITP), the system is meant to prevent websites commonly loaded in a third-party context from receiving identifiable information about the user. It works by creating a list of prevalent domains and applying privacy restrictions to cross-site requests for these domains.
In a recently published report (PDF), Google security researchers Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis explain that multiple security and privacy issues affecting ITP make the protection mechanism ineffective.
Safari’s protection works by increasing an internal counter for the domain from which the resource is loaded. Once the counter reaches a specific value, the site is added to the list of prevalent domains. Moving forth, when cross-site requests are made to prevalent domains, user-identifiable information is removed so that the user can’t be tracked.
“The ITP list is append-only, but it is cleared whenever the user clears their Safari browsing history; the entire list is wiped even if the user resets history for a short time period. Private Browsing Mode does not reuse the ITP list from the main browsing profile,” Google’s researchers explain.
They also explain that the use of an ITP list that is customizable to the user’s browsing patterns introduces into the browser a global state that can be detected by any document.
One of the identified issues, they argue, is that any site can increase the counter for an arbitrary domain via cross-site requests, thus having it added to the prevalent list. Through such requests, they say, a website can determine if a domain is on the list or not.
“It is of course trivial to detect the ITP status of any domains under the attacker’s control: the attacker can directly issue cross-site requests from another domain and inspect them for the effects of applying ITP restrictions,” the report reads.
In their whitepaper, Google’s researchers describe five attack scenarios that underline the discovered weaknesses in Apple’s mechanism. Threat actors, they say, can identify domains on the ITP list, identify individual visited websites, create a persistent fingerprint via ITP pinning, force a domain onto the ITP list, or launch cross-site search attacks using ITP.
In December 2019, Apple rolled out patches for some of these issues — namely CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846 — on both desktop and mobile devices, with the release of Safari 13.0.4 and iOS 13.3.
Now, ITP truncates all cross-site request referrer headers to just the page’s origin; blocks all third-party requests from seeing their cookies unless the user has interacted with the first-party domain; and ensures that websites can’t set cookies as third-parties unless they set cookies as first-party, Apple notes.
Related: Apple Patches Over 50 Vulnerabilities in macOS Catalina
Related: Apple Received Tens of Thousands of Government Requests in H1 2019