A Google engineer says Apple's Intelligent Tracking Prevention issue has not been fixed

Safari search bar iPhone X
Safari search bar iPhone X (Image credit: iMore)

What you need to know

  • Google Chrome engineering director Justin Schuh says that Apple has still not fixed issues raised with its Intelligent Tracking Prevention feature for Safari.
  • Google told Apple about problems with the feature back in August, and Apple was thought to have addressed it in December.
  • Commenting on the release of a soon-to-be-published paper, it has now been suggested that the issue is still a problem.

Google Chrome engineer Justin Schuh has suggested that a problem with Apple's Intelligent Tracking Prevention feature for Safari may still not have been resolved.

Reports are flying all over the web regarding a Financial Times piece titled 'Apple's privacy software allowed users to be tracked, says Google'. This article covers a "soon-to-be-published" paper detailing issues that were found in Apple's Intelligent Tracking Prevention feature for its Safari Web Browser. Ironically, it was revealed back in December that Google had found a flaw which meant users could be tracked by the... you know... tracking prevention software.

Lukas Olejnik, who is cited by FT, posted a link to the paper on Twitter and stated:

Apple/Safari Intelligent Tracking Prevention is a mechanism intended to improve privacy. It was found to have privacy vulnerabilities allowing sites to track the user (and fingerprint), and to stealing web browser history of a user. Incredible find.

See more

Now, as mentioned, the news that Apple was having problems with the Intelligent Tracking Prevention feature is not news. In fact, The engineer behind the software, John Wilander published a blog post entitled Preventing Tracking Prevention Tracking to address the issue, concluding:

We'd like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above. Full credit will be given in upcoming security release notes.

That was seemingly meant to put minds at ease. The abstract of the paper at the center of this story also states:

"A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019."

According to Justin Schuh however, the team that provided the original report to Apple regarding the issue was confused by this post, and he furthermore stated that Apple doesn't seem to have addressed the problem. In response to a tweet linking the post that said "I think (correct me if I'm wrong) this has been addressed here", he stated:

It has not. I explained elsewhere that Apple's blog post was confusing to the team that provided the report. The post was made during a disclosure extension Apple had requested, but didn't disclose the vulnerabilities, and the changes mentioned didn't fix the reported issues.

See more

In response to the more general issue he said:

This is a bigger problem than Safari's ITP introducing far more serious privacy vulnerabilities than the kinds of tracking that it's supposed to mitigate. The cross-site search and related side-channels it exposes are also abusable security vulnerabilities.To add some context, Chrome's XSS Auditor was found to introduce exactly the same class of side-channel vulnerabilities. After several back and forths with the team that discovered the issue, we determined that it was inherent to the design and had to remove the code.I have no idea what Apple plans to do about this because it's been a defining theme in their anti-tracking approach (and one of our major concerns). They attempt to mitigate tracking by adding state mechanisms, but adding states often introduces worse privacy/security issues.

See more

As mentioned, most of today's reports seem to revolve around the published paper, and most of them also reference the blog post that seemingly addressed the issue. However as mentioned, Schuh seems pretty adamant that the blog post and Apple's changes "didn't fix the reported issues", looking ahead he also said that he has "no idea what Apple plans to do about this." In a different response to another tweet linking the same Apple blog post addressing the issue Schuh again stated:

No, I can assure you that they still haven't fixed these issues, which is what made that blog post last year so weird. Apple didn't disclose the vulnerabilities or appropriately credit the researchers, but put out a post implying they fixed "something".

See more

A Reuters journalist stated that Google declined to comment on Schuh's comments.

Stephen Warwick
News Editor

Stephen Warwick has written about Apple for five years at iMore and previously elsewhere. He covers all of iMore's latest breaking news regarding all of Apple's products and services, both hardware and software. Stephen has interviewed industry experts in a range of fields including finance, litigation, security, and more. He also specializes in curating and reviewing audio hardware and has experience beyond journalism in sound engineering, production, and design.

Before becoming a writer Stephen studied Ancient History at University and also worked at Apple for more than two years. Stephen is also a host on the iMore show, a weekly podcast recorded live that discusses the latest in breaking Apple news, as well as featuring fun trivia about all things Apple. Follow him on Twitter @stephenwarwick9

4 Comments
  • White Hats lock the door, Black Hats find a window. Bar the window, they find a crack in the foundation. This is always an arms race. So Apple tightened security, but Google found a few weak points. Apple will close them, and the cycle will go on.
  • No Doug. You missed the entire point. Apple said it "fixed" the problem. But in reality, they never. The Google tech says the same door is unlocked. Not a new way in. Read again.
  • Apple said that they had put a fix in place, not necessarily that it fully fixed the issue. This isn't some conspiracy or that Apple just said "yeah let's publish some release notes even though we didn't do anything!". I've seen plenty of situations before where Apple has "partially" fixed an issue, then fully fixed it later. Admittedly it's a criticism on Apple that they have been slow to fix this properly, but as Douglas said, it will get fixed
  • Should have been completely fixed as soon as it was discovered. Simple. Apple said it was, and it wasn’t. Not good enough.