Apple's Intelligent Tracking Prevention for Safari, which makes it difficult for websites to track visitors, actually exposes user data due to multiple security flaws in the browser, as disclosed by Google Researchers. This flaw impacts Safari on iOS, iPadOS and macOS.
As reported by Financial Times, the issue was first shared by Google’s security researchers with Apple in August 2019. Multiple vulnerabilities were discovered in Safari’s Intelligent Tracking Prevention technology, which exists simply to provide more privacy to users. The vulnerabilities allowed websites to obtain “sensitive private information about the user’s browsing habits”, as Financial Times puts it.
Apple patched the security flaws in December 2019, and addressed the issue in a blog post. Since ITP categorized the content based on its source and its tracking capabilities, it potentially allowed webpages to figure out the different treatment each URL gets.
Any kind of tracking prevention or content blocking that treats web content differently based on its origin or URL risks being abused itself for tracking purposes if the set of origins or URLs provide some uniqueness to the browser and webpages can detect the differing treatment.
Flaws in ITP also allowed users to be tracked around the Internet, and even reveal what users were searching in search engines like Google.
The post also acknowledged Google’s role in identifying the flaws and sharing details with the company to help fix it.
We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above. Full credit will be given in upcoming security release notes.
Even though Apple claimed to have fixed the issues, Google’s Engineering Director for Chrome browser tweeted that the issues remain unfixed. He also revealed that Apple had requested a disclosure extension, during which the blog post was published, without disclosing any of the vulnerabilities.
https://twitter.com/justinschuh/status/1220034173890490368
Intelligent Tracking Prevention was first introduced with iOS 11 and has received multiple revisions over the years. It uses machine learning to understand which websites and advertisers track you across the web and disables cross-site tracking. The latest version 2.3, released with iOS 13, iPadOS 13 and macOS Catalina 10.15, gained support for blocking embedded sharing and like buttons from social networks from tracking users without their explicit consent.
Google has published a paper that details five types of potential attacks that can be used to exploit the vulnerabilities in Safari 13.0.4 and iOS 13.3. It also includes mitigations, workarounds and other observations. You can read the full paper here.
About the author: Imran Hussain has been covering tech since 2008. His passion in technology started from beta testing Windows Longhorn and other Microsoft services and apps, and later expanded to smartphones and other platforms. He currently covers mobile tech, and still prefers beta releases over stable software updates. When not writing, buying or discussing tech, Imran enjoys gaming, movies, news and spending time with his family.
Follow Wccftech on Google to get more of our news coverage in your feeds.
