Apple has eliminated a flaw in WebKit's implementation of HSTS that left the door open for cross-site tracking abuse in Safari.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A flaw in HSTS makes it possible for Safari users to be tracked cross site by "supercookies."
- Apple has released two fixes to eliminate the flaw. Safari users should update immediately, as Apple states it has found some sites using the exploit to create tracking cookies.
A flaw in Apple's WebKit, which powers Safari and other web-connected apps, could allow an attacker to create a cross-site tracking "supercookie."
Apple has taken steps to resolve the issue by making changes to HTTP Strict Transport Security (HSTS) implementation in WebKit that was the root of the problem.
HSTS is a mechanism that allows a website to force visitors to use its HTTPS version, and it turns out it can be exploited to store cross-site tracking information. The potential abuse of HSTS for cross-site tracking has been a known issue since 2015, and Apple said it has recently become aware of attempts to deploy the attack against Safari users.
How HSTS tracking abuse happens
HSTS is, conceptually, quite simple: It allows websites to declare to web browsers that they can only be accessed via HTTPS, forces a redirect to the secure version of the site, and makes a browser remember when it is redirected to ensure it goes to the HTTPS version in the future.
HSTS is great for ensuring secure connections, which is an essential part of using the modern internet. HTTPS is nearly universally required, with Google even going so far as telling anyone visiting a standard HTTP website that their connection isn't secure.
One big problem, though: HSTS can be used maliciously to create cross-site tracking cookies.
SEE: Incident response policy (Tech Pro Research)
Specifically, a malicious website can abuse a visitor's HSTS cache to uniquely identify each site visitor. It works, according to Apple software engineer Brent Fulgham, by the attacker storing a single bit of info in the user's HSTS cache.
"For example, 'load this domain with HTTPS' could represent a 1, while no entry in the HSTS cache would represent a 0. By registering some large number of domains (e.g., 32 or more), and forcing resource loads from a controlled subset of those domains, they can create a large enough vector of bits to uniquely represent each site visitor," Fulgham said.
Fulgham said that using HSTS in the manner required to track users in this way "does not benefit legitimate use cases," leading Apple to develop two fixes that address the problem.
The actual exploit happens in two stages: creating the tracking identifier and reading it on subsequent visits. Apple developed a pair of fixes to eliminate both stages of the exploit.
Fix 1: Restrict HSTS to the top level domain name
Creating an HSTS tracker requires generating a binary string to identify each visitor, which malicious websites were found to be distributing through multiple subdomains or sibling domains.
In order to execute the tracking, HSTS had to be enabled for each of those sub- or sibling domains, so the first fix involves restricting HSTS to only the top level domain (e.g., "https://example.com") or the loaded hostname (e.g., "https://a.a.a.a.a.a.a.example.com").
Because establishing an HSTS tracker requires redirects to 32 or more domains, all of which need to have HSTS enabled, the fix will prevent trackers from being created.
Fix 2: Ignoring HSTS requests for subresource requests from blocked domains
In order to drop a tracking cookie, malicious websites often load a string of invisible pixels that force an HSTS connection. If that HSTS connection is refused and only the original website is loaded, the tracking cookie is simply loaded as a string of zeros.
Apple has changed WebKit so that it now ignores requests from subresources seeking to upgrade a connection to HSTS.
With word that there are illegitimate websites seeking to exploit HSTS in Safari to create tracking cookies, it's a good idea to upgrade Safari to the latest version. Don't end up with a compromised browser that would have been immune had the upgrade been installed.
- Nine ways to disappear from the internet (free PDF) (TechRepublic)
- It's HTTPS or bust: How to secure your website (ZDNet)
- Top 5 HTTPS best practices (TechRepublic)
- Google: This surge in Chrome HTTPS traffic shows how much safer you now are online (ZDNet)
- Why Google Chrome will label thousands of websites as 'unsafe' in the next few months (TechRepublic)