Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques.
A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.
The tracker relies on DNS queries to get past browser defenses, so some form of domain-name look-up filtering could thwart this snooping. As far as netizens armed with just their browser and a regular old content-blocker plugin are concerned, this tracker can sneak by unnoticed. It can be potentially used by advertising and analytics networks to fingerprint netizens as they browse through the web, and silently build up profiles of their interests and keep count of pages they visit.
And, interestingly enough, it's seemingly a result of an arms race between browser makers and ad-tech outfits as they battle over first and third-party cookies.
Ooh, la la
Here's where it all began: in a GitHub issue earlier this month, a developer who goes by the name Aeris online, said that French newspaper website liberation.fr uses a tracker crafted by French marketing analytics outfit Eulerian "that seems to be unblockable."
What makes it so is that the domain referenced appears to be a first-party page element – associated with the website publisher's domain – rather than a third-party page element – associated with a domain other than the visited website.
In response to privacy concerns, companies like Apple and Mozilla have, over the past few years, introduced tracking protection mechanisms in their respective browsers, Safari and Firefox, and have begun blocking third-party cookies – set by third-party trackers – by default.
Many marketers, keen on maintaining their tracking and data collection capabilities, have turned to a technique called DNS delegation or DNS aliasing. It involves having a website publisher delegate a subdomain that the third-party analytics provider can use and aliasing it to an external server using a CNAME DNS record. The website and its external trackers thus seem to the browser to be coming from the same domain and are allowed to operate.
As Eulerian explains on its website, "The collection taking place under the name of the advertiser, and not under a third party, neither the ad blockers nor the browsers, interrupt the calls of tags."
But wait, there's more
Another marketing analytics biz, Wizaly, also advocates this technique to bypass Apple's ITP 2.2 privacy protections.
As does Adobe, which explains on its website that one of the advantages of CNAME records for data collection is they "[allow] you to track visitors between a main landing domain and other domains in browsers that do not accept third-party cookies."
In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe's GDPR, which "clearly states that 'user-centric tracking' requires consent, especially in the case of a third-party service usage."
A recent statement from the Hamburg Commissioner for Data Protection and Freedom of Information in Germany notes that Google Analytics and similar services can only be used with consent.
"This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox," said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.
"This is an exploit, not an 'oopsies,' because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the 'badtech industrial complex' protecting its river of gold."
The Register asked Eulerian to comment but as yet no one has replied.
Mozilla says Firefox won't defang ad blockers – unlike a certain ad-giant browserREAD MORE
Using DNS records to make a third-party domain appear to be first-party was documented previously in a 2014 paper by Lukasz Olejnik and Claude Castelluccia, researchers with Inria, a French research institute. The technique is also discussed in a 2010 academic research paper, "Cookie Blocking and Privacy: First Parties Remain a Risk," by German Gomez, Julian Yalaju, Mario Garcia, and Chris Hoofnagle.
Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.
"uBO is now equipped to deal with third-party disguised as first-party as far as Firefox's browser.dns allows it," Hill wrote, adding that he assumes this can't be fixed in Chrome at the moment because Chrome doesn't have an equivalent DNS resolution API.
Aeris said, "For Chrome, there is no DNS API available, and so no easy way to detect this," adding that Chrome under Manifest v3, a pending revision of Google's extension platform, will break uBO. Hill, uBO's creator, recently confirmed to The Register that's still the case.
Even if Chrome were to implement a DNS resolution API, Google has made it clear it wants to maintain the ability to track people on the web and place cookies, for the sake of its ad business.
Apple's answer to marketer angst over being denied analytic data by Safari has been to propose a privacy-preserving ad click attribution scheme that allows 64 different ad campaign identifiers – so marketers can see which worked.
Google's alternative proposal, part of its "Privacy Sandbox" initiative, calls for an identifier field capable of storing 64 bits of data – considerably more than the integer 64.
As the Electronic Frontier Foundation has pointed out, this enables a range of numbers up to 18 quintillion, allowing advertisers to create unique IDs for every ad impression they serve, information that could then be associated with individual users. ®