When Apple introduced powerful anti-tracking protections to Safari in 2017, advertisers banded together to say they were “deeply concerned” it would sabotage ad-supported content. Now, there’s new information showing that Safari users had good reason for unease as well.

Known as Intelligent Tracking Prevention , the mechanism uses machine learning to classify which websites are allowed to use browser cookies or scripts hosted on third-party domains to track users. Classifications are based on the specific browsing patterns of each end user. Sites that end users intentionally visit are permitted to do cross-site tracking. Sites that users don’t actively visit (but are accessed through tracking scripts) are restricted, either by automatically removing the cookies they set or truncating referrer headers to include only the domain, rather than the entire URL.

A paper published on Wednesday by researchers from Google said this protection came with unintended consequences that posed a risk to the privacy end users. Because the list of restricted sites is based on users’ individual browsing patterns, Intelligent Tracking Prevention—commonly abbreviated as ITP—introduces settings into Safari that can be modified and detected by any page on the Internet. The paper said websites have been able to use this capability for a host of attacks, including:

obtaining a list of recently visited sites

creating a persistent fingerprint that follows a user around the Web

leaking search results or other sensitive information displayed by Safari

forcing any domain onto the list of sites not permitted to use third-party scripts or cookies

The Google researchers said that Apple addressed “a number of the issues” with the release in December of Safari 13.0.4 and iOS 13.3. The researchers didn’t elaborate.

Some cross-site tracking is OK

Not all third-party tracking is invasive. Using Google or Facebook credentials to log in to a different site through OAuth is one example of cross-site tracking that many people find useful. The Google paper provides more details about how ITP decides which sites should be restricted. While the process is complicated, the threshold for a site being included on the restricted ITP list was when Safari detected it was used for third-party tracking by three other domains. The list is stored as registered domains. The list can only be appended, but it’s wiped clean any time a user clears the Safari browsing history.

The paper continues:

As a result of customizing the ITP list based on each user’s individual browsing patterns, Safari has introduced global state into the browser, which can be modified and detected by every document. Any site can issue cross-site requests, increasing the number of ITP strikes for an arbitrary domain and forcing it to be added to the user’s ITP list. By checking for the side effects of ITP triggering for a given cross-site HTTP request, a website can determine whether its domain is present on the user’s ITP list; it can repeat this process and reveal ITP state for any domain.

It’s trivial for attackers to determine the ITP status of any domain under their control. Attackers simply issue cross-site requests from another domain and check if the referer header has been truncated or if a cookie previously sent in a first-party context is present in the request. Revealing the status of domains outside the attackers’ control is only slightly harder. It requires the use of a side channel that compares the behavior of requests affected by ITP with the behavior of those that are unaffected by ITP. The paper says the Internet “abounds” in such side channels and identifies six of them.

The paper goes on to list five attacks that are made possible by Safari’s ITP. They include:

revealing domains on the ITP list

identifying individual visited websites

creating a persistent fingerprint through a technique known as ITP pinning

forcing a domain onto the ITP list

exploiting the leaking of information through cross-site search attacks

Besides Wednesday’s paper, threads here and here provide additional technical details.

Apple responds

In a post published last month, Apple WebKit Engineer John Wilander enumerated the changes his team made after the Google researchers privately reported their findings. Some of the changes include:

downgrading all cross-site request referer headers to just the page’s origin

blocking all third-party requests from seeing their cookies, regardless of the ITP status of the third-party domain

making tweaks to Safari’s original cookie policy restricting third-parties from setting cookies unless they already have set cookies as a first-party

It’s not immediately clear how many of the five attacks developed by the Google researchers are no longer possible. Neither Apple nor Google responded to requests to comment for this post. The changes appear to be mostly short-term mitigations designed to make it harder for attackers to abuse ITP. The take-away seems to be that as long as Safari’s ITP continues to rely on users’ individual browsing patterns, it may provide more risk than protection. It can be turned off in the privacy section of the Safari preferences.