Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Apple's Fancy Browser Privacy Tech May Do More Harm Than Good

Illustration for article titled Apples Fancy Browser Privacy Tech May Do More Harm Than Good
Photo: AP Images

Of all the tech giants, Apple has repeatedly reminded us that it’s the one that cares most about privacy. One of its many privacy-minded innovations is its Safari “Intelligent Tracking Prevention” feature—a machine-learning algorithm introduced back in 2017 that aims to stop annoying ads from tracking you from one site to the next. However, a paper published by Google researchers earlier this week contends that Intelligent Tracking Prevention, or ITP, can be abused to obtain private user information.

Advertisement

Here’s the gist of the Google researchers’ paper: Safari’s ITP protects users from tracking by blocking certain websites from getting identifying user information. Another way of putting it is ITP learns which sites are permitted to use browser cookies or tracking scripts from third-party domains. So if you’re purposefully visiting a website, it doesn’t apply. However, if a site is trying to track you via a script and you haven’t actively visited it, ITP shuts that down by either removing the cookies or lopping off the referrer header from the URL. Based on what it finds, problematic domains are then added to an on-device ITP list. The problem with this is the classification of “good” versus “bad” sites, which is all based on a user’s individual browsing pattern. Google’s researchers say that, in effect, this means “Safari has introduced global state into the browser, which can be modified and detected by every document.”

Advertisement

In plain speak, that means bad actors can easily determine if a domain under their control is on your personal ITP list, and also reveal the ITP state of any domain. From there, attackers could then infer private information about your personal browsing habits. Yikes.

The researchers also identified five potential attacks that could result. First, attackers could reveal domains on a user’s ITP list. Second, attackers could also identify individual websites a user had visited. These first two attacks could give a bad actor a wealth of highly specific information about what sites you visit and when. The third type of attack involves creating a “persistent fingerprint” via ITP pinning. According to the researchers, this could be used to “create a global shared identifier that can be accessed or set from every website.” In general, browser fingerprinting is a shady tactic used to track you across the web without needing cookies or IP addresses.

Fourth, attackers could just arbitrarily add a domain to your ITP list. This could cause vulnerabilities in which bad actors could cause logins and security checks to fail. Lastly, for web applications with search functions, an attacker could launch a new window with a chosen query and learn about your private search results. The example Google’s researchers give is attackers figuring out what you’re searching for in your webmail inbox.

All this is certainly in the weeds, but the main takeaway is Google found ITP—a feature meant to protect users from invasive third-party tracking—unintentionally introduced serious privacy and security vulnerabilities. Apple, for its part, addressed an unspecified number of the aforementioned issues last month in its Safari 13.0.4 and iOS 13.3 updates. Apple WebKit engineer John Wilander also penned a blog detailing changes included in those updates on December 10, and has since tweeted about the “state of cross-tracking 2020 default settings”—a likely dig at Google for the lack of any such option in Chrome.

Advertisement

However, there’s some dissent as to whether these fixes were adequate. Ars Technica noted that Apple’s changes seemed to be “short-term mitigations.” Basically, the updates make it harder for attackers to abuse ITP, but the fundamental issue of the feature relying on individual browsing history remains. It’s a sentiment that was echoed on Twitter by Justin Schuh, the engineering director on Google Chrome Trust and Safety.

“This is a bigger problem than Safari’s ITP introducing far more serious privacy vulnerabilities than the kinds of tracking that it’s supposed to mitigate,” Schuh tweeted. “The cross-site search and related side-channels it exposes are also abusable security vulnerabilities.”

Advertisement

Schuh went on to elaborate further that the anti-tracking approach was the issue, and that Apple’s attempt to mitigate the problem by adding “state mechanisms” often opens the door to more serious privacy and security concerns. (Schuh also threw shade in multiple tweets regarding Apple’s blog, claiming it didn’t properly credit the Google researchers, disclose the vulnerabilities, or adequately fix the reported issues.)

Gizmodo has reached out to both Google and Apple for comment on the fixes, and allegations that they are insufficient. We’ll update if we hear back. In the meantime, if the news gives you the creeps, you can disable ITP by going to Safari Preferences, Privacy, and unchecking the “Prevent cross-site tracking” box.

Advertisement

[Ars Technica]

Consumer tech reporter by day, danger noodle by night. No, I'm not the K-Pop star.

Share This Story

Get our newsletter

DISCUSSION

spiderseverywhere
spiderseverywhere

Google’s solution is to just completely block all third party cookies. On the plus side, when chrome turns that on ‘sometime in the next 2 years’, it will pretty much kill off all third party cookies everywhere, but it’s going to be a pain to re code all the sites that rely on them to work. I foresee a period after chrome turns that on where people are constantly complaining that ‘X’ site doesn’t work in chrome...