Google and Apple may not be the best of friends. But when it comes to discovering flaws on rivals, users' sake comes first.
Back in December 2019, Google notified Apple about multiple bugs found in Safari browser that allowed third-party websites to track users’ browsing habits. According to a paper published by Google‘s security team, the flaw happened to be inside Safari's anti-tracking technology, Intelligent Tracking Prevention (ITP).
It was in 2017 that Apple first introduced the ITP technology. It was considered as one of the most highly regarded privacy protection kits for the web around the world.
In 2018, Apple introduced ITP 2 that can also controls and limits social plugins such as Like buttons and comment fields.
What the technology does, is clearing out first-party cookies regularly, and blocks third-party cookies by default.
On the web where many websites and services are powered by ads and populated by trackers, this technology from Apple disrupts them and worries publishers.
But apparently, this technology had flaws.
In the paper, Google‘s team noted that these vulnerabilities would’ve resulted in the third-party company getting hold of sensitive and private browsing information. The flaw even allowed websites to carry out a cross-site attack and input another domain into the ITP list.
This happened as a byproduct of ITP's mechanism.
When Safari notices a website sending a cross-site resource request, it increases an internal counter for the domain from which the resource is loaded. Once a given domain has accumulated enough ITP strikes, it is categorized by Safari as a prevalent domain. Google tested that it being used in a third-party context by 3 other domains was consistently sufficient for Safari to designate a domain as prevalent.
The problem happened to be in ITP's privacy restrictions to remove information that would allow domain to infer user’s identity and cross-link it with third-party requests from other websites.
As a result of Safari in customizing the ITP list based on each user’s individual browsing patterns, Safari has introduced global state into the browser. This apparently can be modified and detected by every document. As a result, any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list.
By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list. It can repeat this process and reveal ITP state for any domain.
In privacy and security perspective, the flaws were major.
"We’d like to thank Google for sending us a report in which they explore both the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection. Their responsible disclosure practice allowed us to design and test the changes detailed above," said Apple as a thank you to Google, after fixing the flaws.
Google and Apple are two entities, the tech giants that control most of people's digital activities. The former controls most of the web, as well as controlling the Android ecosystem, while Apple is the iPhone maker.
While the had different pasts, and compete with one another in many fields, the two couldn't come any closer when users' are at stake. And not to mention, Google knows that Apple's ITP can hurt its ability to show targeted ads.
For example, back in August 2019, Google security team revealed that a series of web exploits targeted Uyghur Muslims in China, using existing vulnerabilities in iOS. And as for Apple, the company has become one of Google's role model in creating a safer Chrome web browser.