Researchers from Google’s Information Security Engineering team have detailed several security issues in the design of Apple’s Safari anti-tracking system, Intelligent Tracking Prevention (ITP).
ITP is designed to restrict cookies and is Apple’s answer to online marketers that track users across websites. However, Google researchers argue in a new paper that ITP actually leaks Safari users’ web browsing habits, “allowing persistent cross-site tracking, and enabling cross-site information leaks, including cross-site search”.
Some of the bugs were addressed by Apple’s December security updates in Safari 13.04 and iOS 13.3. But Google’s security researchers say the mitigations don’t fully resolve the privacy issues. “Such fixes will not address the underlying problem,” they write.
The Apple WebKit engineer behind ITP, John Wilander, thanked Google for its assistance in December in a blog, noting the online ad giant was “able to explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection”.
Google researchers Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis have now detailed five attacks that exploit ITP’s design, which relies on an on-device algorithm to build an ITP list containing details about sites visited. The problem is that sites can use the list to discover information about the websites that Safari users visit.
“Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list,” the researchers write.
“By checking for the side-effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list; it can repeat this process and reveal ITP state for any domain.”
Google and Apple are at odds over how best to protect users from cross-site tracking. Apple introduced ITP in Safari for macOS and iOS in 2017, and while Chrome has a larger share on the desktop, Apple’s changes have reportedly hurt ad-tech companies and publishers.
Wilander recently highlighted that Safari, Firefox, Microsoft’s Chromium-based Edge, and Brave had all implemented some form of cross-site tracking prevention, yet Google Chrome had not.
Google’s engineering director of Chrome, Justin Schuh, insists Apple has not resolved the ITP bugs Google reported to it and suggests the feature is fatally flawed because it creates even worse security and privacy issues than the ones it was designed to address.
“This is a bigger problem than Safari’s ITP introducing far more serious privacy vulnerabilities than the kinds of tracking that it’s supposed to mitigate. The cross-site search and related side-channels it exposes are also abusable security vulnerabilities,” wrote Schuh.
Schuh pointed out parallels with Chrome’s XSS Auditor, a decade-old security feature that detects cross-site scripting attacks. Google announced in July that it would ditch the feature in part because it introduced many “cross-site info leaks”, and Google found that “fixing all the info leaks has proven difficult”.
“To add some context, Chrome’s XSS Auditor was found to introduce exactly the same class of side-channel vulnerabilities. After several back and forths with the team that discovered the issue, we determined that it was inherent to the design and had to remove the code,” wrote Schuh.