Google Discovers Serious Privacy And Security Flaws In Apple Safari Tracking Prevention

MacBook Pro Safari Browser
Up until last month, an anti-tracking featured introduced to Apple's Safari browser in 2017 actually left users potentially more susceptible to being tracked by hackers due to multiple vulnerabilities discovered by Google's engineers. Fortunately, Apple patched the security holes in December, though it's a bit of an unsettling situation.

The feature in question is called Intelligent Tracking Prevention. It leverages a machine learning model to classify which top privately-controlled domains are able to track users from one site to another, based on a set of collected statistics. If the site is one the user frequently visits, it is allowed to perform cross-site tracking. But if it's a site the user has not interacted with in the past 30 days, the website data and cookies are purged, and continue to be purged as new data gets added.

In a newly published paper (PDF), Google outlines how several vulnerabilities within Apple's Intelligent Tracking Prevention mechanisms compromised the privacy and security of users.

"As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search)," the paper states.

One of the issues is the storage of information about sites a user visits. Two of the five vulnerabilities Google identified would allow an attacker to spy sensitive information about a user's browser habits. In other words, the Intelligent Tracking Prevention protocol would expose the very thing it is designed to protect.

Apple has not issued a comment in the wake of the paper being published, though it did address the topic in a blog post last month, when the issues were patched.

"ITP will now block all third-party requests from seeing their cookies, regardless of the classification status of the third-party domain, unless the first-party website has already received user interaction," Apple explained.

Apple also outlined a few other changes it made to plug up the security holes outlined, and thanked Google for alerting it to the flaws. However, it appears the changes are short-term workarounds. It's not clear what kind of risks remain for Safari users, due ITP. Users who want to err on the side of caution can turn disable the feature, though it's a bit a double-edged sword.