Apple’s Privacy Feature for Safari Actually Exposes User Data – Google Researchers
Apple's Intelligent Tracking Prevention for Safari, which makes it difficult for websites to track visitors, actually exposes user data due to multiple security flaws in the browser, as disclosed by Google Researchers. This flaw impacts Safari on iOS, iPadOS and macOS.
As reported by Financial Times, the issue was first shared by Google’s security researchers with Apple in August 2019. Multiple vulnerabilities were discovered in Safari’s Intelligent Tracking Prevention technology, which exists simply to provide more privacy to users. The vulnerabilities allowed websites to obtain “sensitive private information about the user’s browsing habits”, as Financial Times puts it.
Apple patched the security flaws in December 2019, and addressed the issue in a blog post. Since ITP categorized the content based on its source and its tracking capabilities, it potentially allowed webpages to figure out the different treatment each URL gets.
Any kind of tracking prevention or content blocking that treats web content differently based on its origin or URL risks being abused itself for tracking purposes if the set of origins or URLs provide some uniqueness to the browser and webpages can detect the differing treatment.
Flaws in ITP also allowed users to be tracked around the Internet, and even reveal what users were searching in search engines like Google.
The post also acknowledged Google’s role in identifying the flaws and sharing details with the company to help fix it.
We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above. Full credit will be given in upcoming security release notes.
Even though Apple claimed to have fixed the issues, Google’s Engineering Director for Chrome browser tweeted that the issues remain unfixed. He also revealed that Apple had requested a disclosure extension, during which the blog post was published, without disclosing any of the vulnerabilities.
It has not. I explained elsewhere that Apple's blog post was confusing to the team that provided the report. The post was made during a disclosure extension Apple had requested, but didn't disclose the vulnerabilities, and the changes mentioned didn't fix the reported issues.
— Justin Schuh ? (@justinschuh) January 22, 2020
Intelligent Tracking Prevention was first introduced with iOS 11 and has received multiple revisions over the years. It uses machine learning to understand which websites and advertisers track you across the web and disables cross-site tracking. The latest version 2.3, released with iOS 13, iPadOS 13 and macOS Catalina 10.15, gained support for blocking embedded sharing and like buttons from social networks from tracking users without their explicit consent.
Google has published a paper that details five types of potential attacks that can be used to exploit the vulnerabilities in Safari 13.0.4 and iOS 13.3. It also includes mitigations, workarounds and other observations. You can read the full paper here.