I discovered a vulnerability in content blockers with the help of a friend that could be exploited to leak users’ browsing history to the content blocker developer, contrary to Apple’s claims that this was impossible. This exploit works even on Private Browsing, and allows malicious developers to log the time you visited each site. I reported this exploit on 9/30/15, and it was fixed in iOS 9.2 and Safari 9.0.2 on 12/8/15. If your iOS version is below this, update now! A writeup follows.
Disclosure Timeline
8/25/15- I reported a bug to WebKit’s bug tracker that invalid CSS selectors such as “body{” were corrupting content blocking stylesheets
8/26/15- response from the WebKit team that there wasn’t a whole lot they could do in this case, except for better error reporting
9/30/15- I send an email to product-security@apple.com, providing a proof of concept that the lack of validation on user-supplied CSS selectors allowed content blockers to track user’s browsing history on Safari, even when the user is Private Browsing.
9/30/15- Apple responds, stating that they are looking into the issue
10/5/15- Apple WebKit developers reopen my initial bug, and submit a changeset to Webkit source that fixes the vulnerability: http://trac.webkit.org/changeset/190602
12/8/15- Apple pushes these Webkit updates to Safari on iOS 9.2 and on Safari 9.0.2. They disclose the issue, here (Safari 9.0.2): https://support.apple.com/en-us/HT205639 and here (iOS 9.2): https://support.apple.com/en-us/HT205635.
12/8/15- I publish this blog post.
Note: I develop a free, fully customizable content blocker for iOS called Refine. I’ve audited Refine’s public content blockers, and as of 12/8/15, none exercise this vulnerability. My default blockers certainly do not track user history. If you want to use the most feature-rich content blocker developed by someone who cares deeply about user privacy and security, try mine out. It is hard for me to tell whether other content blockers have been tracking user history using this exploit. Download my blocker, as I guarantee that I have not been tracking browsing history, and will continue to help identify and disclose vulnerabilities to Apple that may jeopardize my users’ privacy.