Google Security Engineering researchers detailed in a
paper presented to Cornell University several data leak issues in Apple's Intelligent Tracking Prevention (ITP) technology, which aims to restrict cookies from sharing data and browsing habits in the
Safari web browser.
In the new paper — Information Leaks via Safari’s Intelligent Tracking Prevention — Google researchers argue that ITP allows “persistent cross-site tracking, and enabling cross-site information leaks,” including cross-site search.
Bugs were addressed by Apple's December security updates in Safari 13.04 and iOS 13.3, but Google's security team says the fixes do not resolve “underlying” privacy issues.
Apple introduced ITP in Safari for macOS and iOS in 2017. The technology aims to protect users from tracking across the web by preventing websites with a third-party context from receiving information that would allow them to identify the user.
When Safari notices a website sending a cross-site resource request, it increases an internal counter for the domain from which the resource is loaded. This is referred to as an ITP strike in the paper.
The paper suggests that once the domain has accumulated enough ITP strikes, it is categorized by Safari as a prevalent domain.
Details of the classification logic are evolving, and are beyond the scope of this document.
Google researchers write that by using certain methods, the attacker can learn the ITP status of a domain that indirectly reveals information about the user’s browsing habits and sensitive information about the user. It can identify individual visited websites — specifically any that make cross-site requests to a custom domain used only by that site.
The security flaw also can create a persistent fingerprint via ITP pinning, which means the hacker can add their own domain to the user’s ITP list by making cross-site requests to it from at least three other domains.
Google researchers also highlight several other flaws, such as cross-site search attacks that allow hackers to open a new browser window to a search page with a query.
If the attacker can distinguish between a response that returned results and an empty one, they can learn information about private search results for the users.
There are short-term workarounds, which Google researchers outline in the paper, but they say these will not fix the “underlying” problems.