In Jan., Google engineers published a report revealing a privacy bug in the Safari web browser. The bug may have stemmed from the Intelligent Tracking feature Apple designed to minimize user tracking on the web. It turns out the feature intended to keep away trackers comes with vulnerabilities that enable user tracking.
What Is Intelligent Tracking Prevention Feature
Intelligent Tracking Prevention (ITP) is a feature Apple developed for Safari when used as a default browser on Macs, iPads, and iPhones. This feature is the first widely released mechanism aimed to minimize invasive web tracking and several other privacy abuses. When users browse sites using an Apple device, the Intelligent Tracking Prevention is activated y default.
ITP Discovered Vulnerabilities
Intelligent Tracking Prevention was designed to enable user tracking, disclosing browser history of Safari users on iPhones and Macs, and fingerprinting. Safari's ITP utilizes machine learning algorithms to determine and segregate third-party tracking cookies after 24 hours. Should the user fails to revisit the site using their Google account, it would be rendered useless.
However, companies easily adapted to this system. Since Apple's Safari ITP, Facebook and Google found ways to refresh their cookies constantly. It means that when users log into a site using a Google account, the cookies are restored, and so does the ability to monitor online activities. Other ITP vulnerabilities include information leaks by detecting the site's users visited.
Other Details
Additionally, it tracks the user using the Safari Intelligent Tracking Prevention feature and allows the mechanism to work like a cookie. It could also steal the user's fingerprint. Security researcher Lukasz Olejnik who saw Google's paper, said that the vulnerabilities could allow uncontrollable and unsanctioned user tracking if exploited.
He added that this kind of privacy vulnerabilities are rare and counter-intuitive. In Dec. last year, Apple fixed this kind of vulnerability based on a release update and thanked Google because of its responsible disclosure practice. However, it appears that despite Apple's quick response to the issue, the problem is still there.
According to Google Chrome's Engineering Director Jason Schuh, the changes Apple mentioned did not fix the reported issues at all. Until now, we have not yet heard that Apple has released an update to rectify these vulnerabilities. In other words, the vulnerabilities in Safari Intelligent Tracking Prevention feature have not yet been resolved.
Google said it is looking forward to work with the Cupertino company in terms of privacy and future security improvements on the web.
