Stateful Browser Features

Stateful Browser Features

October 1, 2020
Category Historical
Defenses Browser Fix

Some browser features/extensions change the way requests are processed, depending on certain website states generated by the browser. Attackers can sometimes observe the whole process and mess with the browser, triggering actions that produce side effects on those states.

WebKit – ITP #

Intelligent Tracking Prevention (ITP) is a privacy feature which is part of WebKit Tracking Prevention technologies. It’s a conjunction of several features and aims to prevent a website from tracking a user under a third-party context. Unfortunately, the initial design introduced a new XS-Leak 1, allowing attackers to abuse the states implicitly created by ITP to classify websites as trackers.

Root Cause #

To classify whether a website has tracking capabilities, ITP collects statistics on resource loads as well as on user interactions with websites such as clicks, taps, or text entries. Based on the classification of these statistics, ITP gives a strike to a website if it is believed to have tracking capabilities. After 3 strikes, a website is put on a deny list and is treated differently by the browser in future requests.

Issues #

One of the issues of ITP is that attackers can manipulate it to arbitrarily enforce certain behaviors. For example, an attacker could force ITP to give a strike to a domain and check if the domain entered the deny list. This information could be leveraged in different ways, for example to:

  • Leak the user’s browsing habits based on how many strikes are necessary for a domain to enter the deny list.
  • Use the deny list to implement an XS-Search attack against a page that includes cross-site resources only when results are present.

Fix #

To fix the issue, ITP now considers every site to be a “tracking” site by default, instead of relying on classifications. This removes the implicit states which allowed attackers to detect certain ITP behaviors.

References #


  1. Information Leaks via Safari’s Intelligent Tracking Prevention, link ↩︎