Safari search bar iPhone XSource: iMore

What you need to know

  • Google Chrome engineering director Justin Schuh says that Apple has still not fixed issues raised with its Intelligent Tracking Prevention feature for Safari.
  • Google told Apple about problems with the feature back in August, and Apple was thought to have addressed it in December.
  • Commenting on the release of a soon-to-be-published paper, it has now been suggested that the issue is still a problem.

Google Chrome engineer Justin Schuh has suggested that a problem with Apple's Intelligent Tracking Prevention feature for Safari may still not have been resolved.

Reports are flying all over the web regarding a Financial Times piece titled 'Apple's privacy software allowed users to be tracked, says Google'. This article covers a "soon-to-be-published" paper detailing issues that were found in Apple's Intelligent Tracking Prevention feature for its Safari Web Browser. Ironically, it was revealed back in December that Google had found a flaw which meant users could be tracked by the... you know... tracking prevention software.

Lukas Olejnik, who is cited by FT, posted a link to the paper on Twitter and stated:

Apple/Safari Intelligent Tracking Prevention is a mechanism intended to improve privacy. It was found to have privacy vulnerabilities allowing sites to track the user (and fingerprint), and to stealing web browser history of a user. Incredible find.

Now, as mentioned, the news that Apple was having problems with the Intelligent Tracking Prevention feature is not news. In fact, The engineer behind the software, John Wilander published a blog post entitled Preventing Tracking Prevention Tracking to address the issue, concluding:

We'd like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above. Full credit will be given in upcoming security release notes.

That was seemingly meant to put minds at ease. The abstract of the paper at the center of this story also states:

"A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019."

According to Justin Schuh however, the team that provided the original report to Apple regarding the issue was confused by this post, and he furthermore stated that Apple doesn't seem to have addressed the problem. In response to a tweet linking the post that said "I think (correct me if I'm wrong) this has been addressed here", he stated:

It has not. I explained elsewhere that Apple's blog post was confusing to the team that provided the report. The post was made during a disclosure extension Apple had requested, but didn't disclose the vulnerabilities, and the changes mentioned didn't fix the reported issues.

In response to the more general issue he said:

This is a bigger problem than Safari's ITP introducing far more serious privacy vulnerabilities than the kinds of tracking that it's supposed to mitigate. The cross-site search and related side-channels it exposes are also abusable security vulnerabilities.

To add some context, Chrome's XSS Auditor was found to introduce exactly the same class of side-channel vulnerabilities. After several back and forths with the team that discovered the issue, we determined that it was inherent to the design and had to remove the code.

I have no idea what Apple plans to do about this because it's been a defining theme in their anti-tracking approach (and one of our major concerns). They attempt to mitigate tracking by adding state mechanisms, but adding states often introduces worse privacy/security issues.

As mentioned, most of today's reports seem to revolve around the published paper, and most of them also reference the blog post that seemingly addressed the issue. However as mentioned, Schuh seems pretty adamant that the blog post and Apple's changes "didn't fix the reported issues", looking ahead he also said that he has "no idea what Apple plans to do about this." In a different response to another tweet linking the same Apple blog post addressing the issue Schuh again stated:

No, I can assure you that they still haven't fixed these issues, which is what made that blog post last year so weird. Apple didn't disclose the vulnerabilities or appropriately credit the researchers, but put out a post implying they fixed "something".

A Reuters journalist stated that Google declined to comment on Schuh's comments.