An anti-tracking tool baked into Apple’s Safari web browser was found to contain flaws that, if abused, could enable the very thing that the tool was designed to prevent, according to a team of Google researchers. In a recently released report, the researchers disclosed multiple vulnerabilities in the browser’s privacy tool that could allow bad actors to take a peek at your browsing and search history.
Apple counts users’ privacy safeguards as one of the cornerstones of its business and one of its main selling points. In 2017, the company released a privacy tool for Safari, called Intelligent Tracking Prevention (ITP). The move was met with much ire from the marketing and advertising community. The tool itself limits cross-site tracking and third-party cookies, which are mostly used by online marketing companies to track users across different websites. Based on collected statistics and user interactions, ITP evaluates which cookies to limit.
In a strange twist, the paper’s authors argue that security and privacy flaws in Safari’s ITP design can have an opposite effect on its intended use. These would include the disclosure of browsing habits, as well as allow persistent cross-site tracking and even enabling cross-site information leaks.
“Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list. By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list; it can repeat this process and reveal the ITP state for any domain. Because the ITP list implicitly stores information about the websites visited by the user, leaking its state reveals sensitive private information about the user’s browsing habits.”
The researchers, who described five different scenarios for abusing ITP’s design, submitted their findings to Apple back in December. The latter promptly acknowledged the problem and issued updates to Safari and ITP to fix it. However, Justin Schuh, Google’s director of Chrome Engineering disputed that the issues had been fixed.
Targeted marketing has been a thorn in users’ side for quite some time, with most usually resorting to adblockers to limit the number of ads they see. While tech firms have been developing tools such as the ITP and limiting third-party cookies but not all of them agree on the method.