Safari's Intelligent Tracking Prevention Fails to Prevent Tracking


Level 9
Nov 3, 2019
The privacy mechanism implemented by Apple’s Safari browser to prevent user tracking across websites is not efficient at protecting users’ privacy, Google security researchers have discovered.
Called Intelligent Tracking Prevention (ITP), the system is meant to prevent websites commonly loaded in a third-party context from receiving identifiable information about the user. It works by creating a list of prevalent domains and applying privacy restrictions to cross-site requests for these domains.
Safari’s protection works by increasing an internal counter for the domain from which the resource is loaded. Once the counter reaches a specific value, the site is added to the list of prevalent domains. Moving forth, when cross-site requests are made to prevalent domains, user-identifiable information is removed so that the user can’t be tracked.

In their whitepaper, Google’s researchers describe five attack scenarios that underline the discovered weaknesses in Apple’s mechanism. Threat actors, they say, can identify domains on the ITP list, identify individual visited websites, create a persistent fingerprint via ITP pinning, force a domain onto the ITP list, or launch cross-site search attacks using ITP.