Google researchers find serious privacy risks in Safaris anti-tracking protections

EnlargeBen Miller

When Apple introduced powerful anti-tracking protections to Safari in 2017, advertisers banded together to say they were “deeply concerned” it would sabotage ad-supported content. Now, theres new information showing that Safari users had good reason for unease as well.

Known as Intelligent Tracking Prevention, the mechanism uses machine learning to classify which websites are allowed to use browser cookies or scripts hosted on third-party domains to track users. Classifications are based on the specific browsing patterns of each end user. Sites that end users intentionally visit are permitted to do cross-site tracking. Sites that users dont actively visit (but are accessed through tracking scripts) are restricted, either by automatically removing the cookies they set or truncating referrer headers to include only the domain, rather than the entire URL.

A paper published on Wednesday by researchers from Google said this protection came at considerable risk to the privacy end users. Because the list of restricted sites is based on users individual browsing patterns, Intelligent Tracking Prevention—commonly abbreviated as ITP—introduces settings into Safari that can be modified and detected by any page on the Internet. The paper said websites have been able to use this capability for a host of attacks, including:

  • obtaining a list of recently visited sites
  • creating a persistent fingerprint that follows a user around the Web
  • leaking search results or other sensitive information displayed by Safari
  • forcing any domain onto the list of sites not permitted to use third-party scripts or cookies

The Google researchers said that Apple addresses “a number of the issues” with the release in December of Safari 13.0.4 and iOS 13.3. The researchers didnt elaborate.

Some cross-site tracking is OK

Not all third-party tracking is invasive. Using Google or Facebook credentials to log in to a different site through OAuth is one example of cross-site tracking that many people find useful. The Google paper provides more details about how ITP decides which sites should be restricted. While the process is complicated, the threshold for a site being included on the restricted ITP list was when Safari detected it was used for third-party tracking by three other domains. The list is stored as registered domains. The list can only be appended, but its wiped clean any time a user clears the Safari browsing history.

The paper continues:

As a result of customizing the ITP list based on each users individual browsing patterns, Safari has introduced global state into the browser, which can be modified and detected by every document.

Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the users ITP list. By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the users ITP list; it can repeat this process and reveal ITP state for any domain.

Its trivial for attackers to determine the ITP status of any domain under their control. Attackers simply issue cross-site requests from another domain and check if the referer header has been truncated or if a cookie previously sent in a first-party context is present in the request. Revealing the status of domains outside the attackers control is only slightly harder. It requires the use of a side channel that compares the behavior of requests affected by ITP with the behavior of those that are unaffected by ITP. The paper says the Internet “abounds” in such side channels and identifies six of them.

The paper goes on to list five attacks that are made possible by Safaris ITP. They include: