Information Leaks via Safari's Intelligent Tracking Prevention

TL;DR

This paper uncovers security and privacy vulnerabilities in Safari's Intelligent Tracking Prevention, revealing how it can leak user browsing habits and enable cross-site tracking despite privacy claims.

Contribution

It identifies multiple security flaws in Safari's ITP that allow cross-site information leaks and tracking, providing detailed analysis and disclosure of these vulnerabilities.

Findings

Disclosed user browsing habits through ITP vulnerabilities

Enabled persistent cross-site tracking despite privacy measures

Identified issues addressed in Safari 13.0.4 and iOS 13.3

Abstract

Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented by Apple's Safari browser, released in October 2017. ITP aims to reduce the cross-site tracking of web users by limiting the capabilities of cookies and other website data. As part of a routine security review, the Information Security Engineering team at Google has identified multiple security and privacy issues in Safari's ITP design. These issues have a number of unexpected consequences, including the disclosure of the user's web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search). This report is a modestly expanded version of our original vulnerability submission to Apple (WebKit bug #201319), providing additional context and edited for clarity. A number of the issues discussed here have been addressed in Safari 13.0.4 and iOS 13.3, released in December 2019.