Apple’s Intelligent Tracking Mechanism (ITP) was prone to multiple vulnerabilities which allowed attackers to track users. Apple patched the vulnerabilities in December 2019 after being notified by the security researchers from Google.
Through the vulnerability, the website can perform the following functions on the user’s device.
- See the domain lists stored in the ITP.
- Can see the websites that the user visited.
- Can force a domain in the ITP list.
- Cross-site search attacks using the ITP.
- Can create a persistent fingerprint via the ITP pinning which will track the user’s browsing habits.
How ITP functions?
In a research paper, the analysts from Google pointed out the functionality of the vulnerability. The ITP, which was first launched in 2017, prevents the user from being tracked by blocking the information requested by the websites.
ITP stores an on-device list of prevalent domains which is based on the user’s web traffic. Also, ITP applies restrictions to cross-site requests to domains that are registered as prevalent.
When the Safari Browser notices that the website is requesting a cross-site request, it increases the counter for the domain through which the website is being loaded. This mechanism is called ITP strike by the researchers. When the domain has accumulated a certain number of ITP strikes, Safari removes the cookies and other information that can be used to identify the user.
As the ITP list is stored on the device, any potential attacker website can manipulate the list. According to the researchers, any website an issue cross-site requests and can increase the ITP strike on any arbitrary domain. Then, by checking the side effects of cross-site HTTP requests, the website can ascertain whether its domain is present in the ITP list or not.
A website — using a similar technique — can check the ITP state of any domain on the ITP list.
Apple patched the vulnerability and acknowledged Google’s effort on December 10, 2019.