Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much

Ad-tech arms race continues: DNS system exploited to silently follow folks around the web

Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques.

A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.

The tracker relies on DNS queries to get past browser defenses, so some form of domain-name look-up filtering could thwart this snooping. As far as netizens armed with just their browser and a regular old content-blocker plugin are concerned, this tracker can sneak by unnoticed. It can be potentially used by advertising and analytics networks to fingerprint netizens as they browse through the web, and silently build up profiles of their interests and keep count of pages they visit.

And, interestingly enough, it's seemingly a result of an arms race between browser makers and ad-tech outfits as they battle over first and third-party cookies.

Ooh, la la

Here's where it all began: in a GitHub issue earlier this month, a developer who goes by the name Aeris online, said that French newspaper website uses a tracker crafted by French marketing analytics outfit Eulerian "that seems to be unblockable."

What makes it so is that the domain referenced appears to be a first-party page element – associated with the website publisher's domain – rather than a third-party page element – associated with a domain other than the visited website.

In response to privacy concerns, companies like Apple and Mozilla have, over the past few years, introduced tracking protection mechanisms in their respective browsers, Safari and Firefox, and have begun blocking third-party cookies – set by third-party trackers – by default.

Many marketers, keen on maintaining their tracking and data collection capabilities, have turned to a technique called DNS delegation or DNS aliasing. It involves having a website publisher delegate a subdomain that the third-party analytics provider can use and aliasing it to an external server using a CNAME DNS record. The website and its external trackers thus seem to the browser to be coming from the same domain and are allowed to operate.

As Eulerian explains on its website, "The collection taking place under the name of the advertiser, and not under a third party, neither the ad blockers nor the browsers, interrupt the calls of tags."

But wait, there's more

Another marketing analytics biz, Wizaly, also advocates this technique to bypass Apple's ITP 2.2 privacy protections.

As does Adobe, which explains on its website that one of the advantages of CNAME records for data collection is they "[allow] you to track visitors between a main landing domain and other domains in browsers that do not accept third-party cookies."

In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe's GDPR, which "clearly states that 'user-centric tracking' requires consent, especially in the case of a third-party service usage."

A recent statement from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany notes that Google Analytics and similar services can only be used with consent.

"This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox," said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.

"This is an exploit, not an 'oopsies,' because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the 'badtech industrial complex' protecting its river of gold."

The Register asked Eulerian to comment but as yet no one has replied.

Chrome vs. Firefox

Mozilla says Firefox won't defang ad blockers – unlike a certain ad-giant browser


Using DNS records to make a third-party domain appear to be first-party was documented previously in a 2014 paper by Lukasz Olejnik and Claude Castelluccia, researchers with Inria, a French research institute. The technique is also discussed in a 2010 academic research paper, "Cookie Blocking and Privacy: First Parties Remain a Risk," by German Gomez, Julian Yalaju, Mario Garcia, and Chris Hoofnagle.

Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.

"uBO is now equipped to deal with third-party disguised as first-party as far as Firefox's browser.dns allows it," Hill wrote, adding that he assumes this can't be fixed in Chrome at the moment because Chrome doesn't have an equivalent DNS resolution API.

Aeris said, "For Chrome, there is no DNS API available, and so no easy way to detect this," adding that Chrome under Manifest v3, a pending revision of Google's extension platform, will break uBO. Hill, uBO's creator, recently confirmed to The Register that's still the case.

Even if Chrome were to implement a DNS resolution API, Google has made it clear it wants to maintain the ability to track people on the web and place cookies, for the sake of its ad business.

Apple's answer to marketer angst over being denied analytic data by Safari has been to propose a privacy-preserving ad click attribution scheme that allows 64 different ad campaign identifiers – so marketers can see which worked.

Google's alternative proposal, part of its "Privacy Sandbox" initiative, calls for an identifier field capable of storing 64 bits of data – considerably more than the integer 64.

As the Electronic Frontier Foundation has pointed out, this enables a range of numbers up to 18 quintillion, allowing advertisers to create unique IDs for every ad impression they serve, information that could then be associated with individual users. ®

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Biting the hand that feeds IT © 1998–2021