Google security researchers found a way to use ITP to track Apple fanboys as they searched for information on Taylor Swift and Coldplay which was amusingly the thing it was created to stop.
Apple buried the bad news in a WebKit blog post on Tuesday, masked by a slew of other security updates. The software updates to Apple's various operating systems and browser address three WebKit vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) that permit malicious web content to execute arbitrary code, but these appear to be unrelated.
The blog post, by WebKit security and privacy engineer John Wilander, says only that Google researchers provided Apple with a report that explores " the ability to detect when web content is treated differently by tracking prevention and the bad things that are possible with such detection."
Wilander said that the report led to several ITP changes and promised to credit Google's researchers in future security release notes.
Wilander's post explains that WebKit's tracking prevention system could itself be used as a mechanism for tracking. Hence the title of the post, "Preventing Tracking Prevention Tracking."
It would appear that ITP could function as a browser fingerprinting vector, conveying information that could be used to follow users around the web despite the ostensible tracking protection.
Apple seems to have fixed the problem