Tracking prevention trips up on its own shoelaces

Security researchers have discovered a method of subverting Safari's tracking protection in a finding that has implications for other browser makers.

The flaws found in the Apple-owned browser’s Intelligent Tracking Prevention (ITP), a feature designed to enhance privacy, could have potential consequences leading to the disclosure of a user’s online browsing habits.

It would also open the doors to persistent cross-site tracking and cross-site information leaks, including cross-site search, according to a Google-led team of security researchers.

Block and tackle

The problem lies with how ITP decides which sites should be blocked from sending requests to and from a user’s browser.

Most browser makers still rely on the blacklisting or whitelisting of domains, rather than Safari’s approach, which involves applying the results of an algorithm to create a personalized anti-tracking model baked into a user’s browser.

“Safari bases its anti-tracking approach not on a built-in, static list of domains, but on making a local decision about the sties that your browser recognizes as providers of third-party resources,” security researcher Artur Janc, a manager in Google's Information Security Engineering team explains on Twitter.

“This requires building up a custom model of what sites are loaded in third-party contexts, which depends on your individual traffic and implicitly encodes information about your browsing history,” he said.

Fracking tracking

The flagged domains are put into what Safari calls an Intelligent Tracking Prevention (ITP) list, which is unique to each user.

This intuitive design, however, means that “when the browser uses this model to change its behaviour (e.g. removes cookies or the `Referer' header from some requests), its underlying data gets exposed to any website,” Janc said.

“That model is not only a unique identifier, but also reveals information about sites you visited since last clearing browsing state,” he added.

Websites are therefore able to detect changes to the ITP list, enabling an attack surface counter to Safari’s anti-tracking feature.

“By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list; it can repeat this process and reveal ITP state for any domain,” the researchers explain in a paper expanding on the issue.

A second attack allows the identification of each website visted by a user. An attacker can detect that a user previously visited any site which makes cross-site requests to a custom domain used only by that site.

A third exploit route involves creating a persistent fingerprint via ITP pinning. Other avenues of attack involve forcing a domain onto the ITP list or running cross-site search attacks.

Browser information leaks

The researchers passed their findings onto Apple in a routine security review, and a number of the issues were addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.

Safari already had some mitigations in place to defend against leaks of potentially sensitive information arising from the use of its anti-tracking technology but these safeguards are incomplete, according to researchers.

The essential problem goes beyond Apple Safari’s implementation of anti-tracking technology but also affects other browser technologies, such as Google Chrome's Privacy Budget, that take a similar approach.

“If you alter browser behavior based on locally gathered data, then if your changes have web-observable consequences, you're going to have a bad time,” Janc concluded.

Janc and his fellow researchers – Lukas Weichselbaum and Roberto Clapis from Google and Krzysztof Kotowicz – have put together a paper (pdf) on their research, entitled ‘Information Leaks via Safari's Intelligent Tracking Prevention’.

Intelligent Tracking Prevention has been incorporated as a privacy protection mechanism in Apple's Safari browser since October 2017.

RELATED Tracking prevention in Safari WebKit levels up