Friday, January 24, 2020

Information Leaks via Safari’s Intelligent Tracking Prevention

Artur Janc et al. (PDF, Hacker News, MacRumors, 9to5Mac):

As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari’s ITP design. These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search). This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.

This is really clever.

Maciej Stachowiak:

If you’ve seen articles advising you to turn off Intelligent Tracking Prevention in Safari, don’t do it. That is terrible advice. Even if we had no fix for the issues recently disclosed by Google, cookies are a way worse tracking vector than a flaw in ITP could ever be.

On top of that, we have in fact patched the specific vulnerabilities reported to us, and have confirmed this with the researchers.

John Wilander:

We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above.

Justin Schuh:

It has not [been addressed]. I explained elsewhere that Apple’s blog post was confusing to the team that provided the report. The post was made during a disclosure extension Apple had requested, but didn’t disclose the vulnerabilities, and the changes mentioned didn’t fix the reported issues.


Comments RSS · Twitter

Leave a Comment