A significant security flaw has been identified in Apple’s Safari browser that could potentially expose iPhone users in the European Union to unauthorized tracking.
This vulnerability stems from a new feature introduced in iOS 17.4, designed to facilitate the installation of apps from alternative marketplaces directly via Safari.
Background of the Flaw
The issue was first reported by security researchers Talal Haj Bakry and Tommy Mysk, who discovered that the implementation of a new URI scheme, marketplace-kit
, by Apple could be exploited to track users across different websites.
This scheme was intended to allow EU users to download and install apps from third-party marketplaces without going through the App Store, complying with new EU regulations to reduce Apple’s market dominance.
Technical Details of the Vulnerability
The vulnerability arises during the app installation process. When a user decides to install an app from a marketplace website using Safari, the browser invokes the marketplace-kit
URI scheme.
This action triggers the MarketplaceKit process, which handles the communication with the marketplace’s backend servers.
During this process, a unique client_id
identifier is sent to the marketplace. Alarmingly, this identifier is not only unique but also consistent across different sessions and websites.
This consistency allows for potential tracking of users’ online activities across multiple sites that utilize this scheme.
The core of the privacy concern lies in the fact that any website can trigger the MarketplaceKit process by simply calling the marketplace-kit
URI scheme.
This means that multiple websites could potentially collaborate to track a user’s online behaviour by sharing the client_id
identifier.
This flaw is particularly concerning because Safari, which protects users against cross-site tracking, fails to verify the website’s origin, making the call to the URI scheme.
Unlike other browsers like Brave, which checks the website’s origin against the URL passed in the request, Safari does not have this safeguard in place.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Apple’s Response and Security Measures
Only a select few browsers, including Brave, Ecosia, and Safari, have Apple’s permission to use the URI scheme as of right
now. These browsers have to obtain a special entitlement from Apple to support this feature.
The researchers have highlighted that this implementation by Apple has “catastrophic security and privacy flaws.”
They urge Apple to take immediate action to rectify these issues to prevent potential misuse of the vulnerability.
To mitigate this tracking risk, it is recommended that users be cautious about installing apps from third-party marketplaces until Apple addresses the flaw.
Users should also consider using browsers that do not support the marketplace-kit
URI scheme if they are concerned about their privacy.
This discovery sheds light on the ongoing challenges tech companies face in balancing functionality with privacy and security.
It also highlights the importance of rigorous security testing, especially when implementing features that handle sensitive user data.
Apple is expected to respond to these findings with updates to Safari’s security measures, ensuring user privacy is not compromised in its browser ecosystem.
As the situation develops, Apple is anticipated to provide further updates and recommendations from cybersecurity experts.
Users are advised to stay informed and apply all security updates Apple issues to protect against potential exploitation of this vulnerability.
Combat Sophisticated Email Threats With AI-Powered Email Security Tool ->
Try Free Demo