Of all the tech giants, Apple has paper published by Google researchers earlier this week contends that Intelligent Tracking Prevention, or ITP, can be abused to obtain private user information.
Here’s the gist of the Google researchers’ paper: Safari’s ITP protects users from tracking by blocking certain websites from getting identifying user information. Another way of putting it is ITP learns which sites are permitted to use browser cookies or tracking scripts from third-party domains. So if you’re purposefully visiting a website, it doesn’t apply. However, if a site is trying to track you via a script and you haven’t actively visited it, ITP shuts that down by either removing the cookies or lopping off the referrer header from the URL. Based on what it finds, problematic domains are then added to an on-device ITP list. The problem with this is the classification of “good” versus “bad” sites, which is all based on a user’s individual browsing pattern. Google’s researchers say that, in effect, this means “Safari has introduced global state into the browser, which can be modified and detected by every document.”
In plain speak, that means bad actors can easily determine if a domain under their control is on your personal ITP list, and also reveal the ITP state of any domain. From there, attackers could then infer private information about your personal browsing habits. Yikes.
The researchers also identified five potential attacks that could result. First, attackers could reveal domains on a user’s ITP list. Second, attackers could also identify individual websites a user had visited. These first two attacks could give a bad actor a wealth of highly specific information about what sites you visit and when. The third type of attack involves creating a “persistent fingerprint” via ITP pinning. According to the researchers, this could be used to “create a global shared identifier that can be accessed or set from every website.” In general, browser fingerprinting is a shady tactic used to track you across the web without needing cookies or IP addresses.
Fourth, attackers could just arbitrarily add a domain to your ITP list. This could cause vulnerabilities in which bad actors could cause logins and security checks to fail. Lastly, for web applications with search functions, an attacker could launch a new window with a chosen query and learn about your private search results. The example Google’s researchers give is attackers figuring out what you’re searching for in your webmail inbox.
All this is certainly in the weeds, but the main takeaway is Google found ITP”a feature meant to protect users from invasive third-party tracking”unintentionally introduced serious privacy and security vulnerabilities. Apple, for its part, addressed an unspecified number of the aforementioned issues last month in its Safari 13.0.4 and iOS 13.3 updates. Apple WebKit engineer John Wilander also penned a blog detailing changes included in those updates on December 10, and has since tweeted about the “state of cross-tracking 2020 default settings””a likely dig at Google for the lack of any such option in Chrome.
However, there’s some dissent as to whether these fixes were adequate. Ars Technica noted that Apple’s changes seemed to be “short-term mitigations.” Basically, the updates make it harder for attackers to abuse ITP, but the fundamental issue of the feature relying on individual browsing history remains. It’s a sentiment that was echoed on Twitter by Justin Schuh, the engineering director on Google Chrome Trust and Safety.
“This is a bigger problem than Safari’s ITP introducing far more serious privacy vulnerabilities than the kinds of tracking that it’s supposed to mitigate,” Schuh tweeted. “The cross-site search and related side-channels it exposes are also abusable security vulnerabilities.”
Schuh went on to elaborate further that the anti-tracking approach was the issue, and that Apple’s attempt to mitigate the problem by adding “state mechanisms” often opens the door to more serious privacy and security concerns. (Schuh also threw shade in multiple tweets regarding Apple’s blog, claiming it didn’t properly credit the Google researchers, disclose the vulnerabilities, or adequately fix the reported issues.)
Gizmodo has reached out to both Google and Apple for comment on the fixes, and allegations that they are insufficient. We’ll update if we hear back. In the meantime, if the news gives you the creeps, you can disable ITP by going to Safari Preferences, Privacy, and unchecking the “Prevent cross-site tracking” box.