A significant security vulnerability has been found in Apple‘s Safari browser, which affects iPhone users in the European Union. The flaw stems from a new feature in iOS 17.4, aimed at allowing users to install apps directly from Safari through alternative marketplaces, a move meant to comply with EU regulations intended to curb Apple’s market dominance. Security researchers Talal Haj Bakry and Tommy Mysk identified that the implementation of a new URI scheme called marketplace-kit by Apple could be exploited to track users across different websites. This scheme, used during the app installation process, sends a unique and consistent client_id to the marketplace’s backend, which can be used to track users’ online activities across multiple sites.
The exploitation process begins when a user opts to install an app from a marketplace website using Safari. This action invokes the marketplace-kit URI scheme, initiating the MarketplaceKit process that manages backend communications. During this process, the unique client_id, which remains consistent across different sessions and websites, is transmitted. This consistency of the identifier allows for potential tracking of the user’s online behaviors across various platforms that employ this scheme.
One of the core privacy concerns with this vulnerability is that any website can initiate the MarketplaceKit process by simply invoking the marketplace-kit URI scheme. This design flaw means that multiple websites could potentially collaborate to monitor and share a user’s online behavior by leveraging the client_id identifier. This issue is compounded by Safari’s failure to verify the website’s origin when calling the URI scheme, a security measure that browsers like Brave implement by checking the website’s origin against the URL in the request.
Apple has allowed only a few browsers, including Safari, to use the marketplace-kit URI scheme with a special entitlement. The security researchers have criticized this implementation, highlighting its “catastrophic security and privacy flaws” and pressing Apple to address these issues promptly. In response to the potential for misuse, users are advised to be cautious when installing apps from third-party marketplaces and to consider using browsers that do not support the marketplace-kit URI scheme if concerned about privacy. As Apple works to rectify this flaw, it is crucial for users to stay updated on developments and apply any security updates issued to protect against potential exploitation of this vulnerability.
