Security News > 2020 > January > Safari's Intelligent Tracking Prevention Fails to Prevent Tracking

The privacy mechanism implemented by Apple's Safari browser to prevent user tracking across websites is not efficient at protecting users' privacy, Google security researchers have discovered.

Called Intelligent Tracking Prevention, the system is meant to prevent websites commonly loaded in a third-party context from receiving identifiable information about the user.

"The ITP list is append-only, but it is cleared whenever the user clears their Safari browsing history; the entire list is wiped even if the user resets history for a short time period. Private Browsing Mode does not reuse the ITP list from the main browsing profile," Google's researchers explain.

Threat actors, they say, can identify domains on the ITP list, identify individual visited websites, create a persistent fingerprint via ITP pinning, force a domain onto the ITP list, or launch cross-site search attacks using ITP. In December 2019, Apple rolled out patches for some of these issues - namely CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846 - on both desktop and mobile devices, with the release of Safari 13.0.4 and iOS 13.3.

Now, ITP truncates all cross-site request referrer headers to just the page's origin; blocks all third-party requests from seeing their cookies unless the user has interacted with the first-party domain; and ensures that websites can't set cookies as third-parties unless they set cookies as first-party, Apple notes.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/5WnxGoXB04c/safaris-intelligent-tracking-prevention-fails-prevent-tracking