WHEN TRACKING PROTECTION ISN’T –
Apple’s Intelligent Tracking Prevention can open users to a variety of attacks.
Known as Intelligent Tracking Prevention , the mechanism uses machine learning to classify which websites are allowed to use browser cookies or scripts hosted on third-party domains to track users. Classifications are based on the specific browsing patterns of each end user. Sites that end users intentionally visit are permitted to do cross-site tracking. Sites that users don’t actively visit (but are accessed through tracking scripts) are restricted, either by automatically removing the cookies they set or truncating referrer headers to include only the domain, rather than the entire URL.
Not all third-party tracking is invasive. Using Google or Facebook credentials to log in to a different site through OAuth
The paper continues:
As a result of customizing the ITP list based on each user’s individual browsing patterns, Safari has introduced global state into the browser, which can be modified and detected by every document.
Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list. By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list; it can repeat this process and reveal ITP state for any domain.
It’s trivial for attackers to determine the ITP status of any domain under their control. Attackers simply issue cross-site requests from another domain and check if the referer header has been truncated or if a cookie previously sent in a first-party context is present in the request. Revealing the status of domains outside the attackers ’control is only slightly harder. It requires the use of a side channel
That compares the behavior of requests affected by ITP with the behavior of those that are unaffected by ITP. The paper says the Internet “abounds” in such side channels and identifies six of them.
The paper goes on to list five attacks that are made possible by Safari’s ITP. They include:
(revealing domains on the ITP list) identifying individual visited websites
In a post published last month , Apple WebKit Engineer John Wilander enumerated the changes his team made after the Google researchers privately reported their findings. Some of the changes include:
downgrading all cross-site request referer headers to just the page’s origin
- blocking all third-party requests from seeing their cookies, regardless of the ITP status of the third-party domain
- It’s not immediately clear how many of the five attacks developed by the Google researchers are no longer possible. Neither Apple nor Google responded to requests to comment for this post. The changes appear to be mostly short-term mitigations designed to make it harder for attackers to abuse ITP. The take-away seems to be that as long as Safari’s ITP continues to rely on users ’individual browsing patterns, it may provide more risk than protection. It can be turned off in the privacy section of the Safari preferences.
() (Read More )