Fix already available since last December, Apple says

Jan 23, 2020 10:23 GMT  ·  By

Google discovered, reported, and helped Apple fix a critical security vulnerability in the company’s Intelligent Tracking Prevention (ITP) privacy tool.

Apple launched ITP back in 2017 as the most advanced anti-tracking system, as it adds a new protection layer against both first-party and third-party cookies, with the latter blocked by default on all devices.

ITP is specifically supposed to block overly-intrusive user tracking when going online, but as Google explains in an analysis, the feature could be abused to have exactly the opposite effect.

In other words, hackers could hijack Apple’s ITP to access sensitive and private browsing information, but also to launch cross-site attacks that could then lead to adding new domains to the Apple-maintained ITP lists.

“These issues have a number of unexpected consequences, including the disclosure of the user’s web browsing habits, allowing persistent cross-site tracking, and enabling cross-site information leaks (including cross-site search),” Google explains.

Patches already available

The search giant has also provided a list of short-term workarounds, as well as general mitigation for Apple.

“A potential avenue for addressing this problem may be to remove user-specific aspect of ITP by shipping a common list, identical for all Safari users, based on an enumeration of known trackers or federated learning; however, this may make ITP less effective. Ideally, the privacy-protecting behaviors applied to sites on the ITP list could be extended to all domains, applying ITP by default to the entire web; this, in turn, may be prohibitive for compatibility reasons,” Google said.

Apple claims it has already fixed the bugs quietly back in December, so all users should now be secure. Safari 13.0.4 and iOS 13.3, released in December 2019, are the patched versions that contain the fix.

“We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above,” Apple says.

Given the flaws are now public, users are obviously recommended to update to the patched versions as soon as possible.