Security

What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Study sees increasing adoption of cloaking to bypass cookie barriers


Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.

In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Wouter Joosen, and Tom Van Goethem, and privacy consultant Lukasz Olejnik, delve into increasing adoption of CNAME-based tracking, which abuses DNS records to erase the distinction between first-party and third-party contexts.

"This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site," the paper explains. "As such, defenses that block third-party cookies are rendered ineffective."

The web security model is based on what's known as the same-origin policy. Resources that have the same origin, or domain, are afforded a higher level of trust than resources available elsewhere, at a different origin or domain. That's why websites can set and access their own (first-party) cookies in a visitor's browser, for example, and shouldn't be able to access cookies associated with a different domain (third-party).

While online publishers have been happy to allow advertisers to run third-party tracking code on their websites to collect data and follow people as they visit different websites, internet users and privacy-focused web browsers have ramped up privacy defenses over the past few years to limit the application of web-based tracking.

We will track you

Advertising technology companies have a history of figuring out ways around such barriers, however. Recall Google's efforts to override Safari's third-party cookie settings, which elicited an inconsequential $22.5m fine from the FTC in 2012.

Now, with the increasingly effective cookie cordons being erected in privacy-focused browsers like Brave, Firefox, and Safari, marketers have stepped up efforts to evade anti-tracking measures.

A technique known as DNS delegation or DNS aliasing has been known since at least 2007 and showed up in privacy-focused research papers in 2010 [PDF] and 2014 [PDF]. Based on the use of CNAME DNS records, the counter anti-tracking mechanism drew attention two years ago when open source developer Raymond Hill implemented a defense in the Firefox version of his uBlock Origin content blocking extension.

Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm

READ MORE

CNAME cloaking involves having a web publisher put a subdomain – e.g. trackyou.example.com – under the control of a third-party through the use of a CNAME DNS record. This makes a third-party tracker associated with the subdomain look like it belongs to the first-party domain, example.com.

The boffins from Belgium studied the CNAME-based tracking ecosystem and found 13 different companies using the technique. They claim that the usage of such trackers is growing, up 21 per cent over the past 22 months, and that CNAME trackers can be found on almost 10 per cent of the top 10,000 websites.

What's more, sites with CNAME trackers have an average of about 28 other tracking scripts. They also leak data due to the way web architecture works. The researchers found cookie data leaks on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking. Most of these were the result of third-party analytics scripts setting cookies on the first-party domain.

Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user's full name, location, email address, and authentication cookie.

"This suggests that this scheme is actively dangerous," wrote Dr Lukasz Olejnik, one of the paper's co-authors, in a blog post. "It is harmful to web security and privacy."

Advertising war's collateral damage

CNAME tracking was found to introduce two security vulnerabilities in undisclosed vendors' implementations by making websites vulnerable to session fixation and cross-site scripting attacks. One of the vendors responded to mitigate the issue; the other did not, the paper says.

One unidentified vendor's tracker created a vulnerability through a function designed to extend the life of first-party advertising and analytics cookies, such as Facebook’s _fbp cookie and Google Analytics' _ga cookie. The vendor's mechanism for doing so failed to provide sufficient validation, enabling a session fixation attack, which is a way of hijacking a browsing session. It could allow, for example, an attacker to make purchases using the victim's credit card.

A different CNAME tracking vendor was found to provide a way to link a user's email to the user's browser fingerprint – a hash based on various measurable browser characteristics.

"This email address is later reflected in a dynamically generated script that is executed on every page load, allowing the website to retrieve it again, even if the user would clear their cookies," the paper explains. "However, because the value of the email address is not properly sanitized, it is possible to include an arbitrary JavaScript payload that will be executed on every page that includes the tracking script."

In addition, the researchers report that ad tech biz Criteo switches specifically to CNAME tracking – putting its cookies into a first-party context – when its trackers encountered users of Safari, which has strong third-party cookie defenses.

According to Olejnik, CNAME tracking can defeat most anti-tracking techniques and there are few defenses against it.

Firefox running the add-on uBlock Origin 1.25+ can see through CNAME deception. So too can Brave, which recently had to repair its CNAME defenses due to problems it created with Tor.

Chrome falls short because it does not have a suitable DNS-resolving API for uBlock Origin to hook into. Safari will limit the lifespan of cookies set via CNAME cloaking but doesn't provide a way to undo the domain disguise to determine whether the subdomain should be blocked outright.

"Because today most anti-tracking works on the principle of filter lists (pattern matching of HTTP requests), the CNAME scheme effectively renders such defenses ineffective," Olejnik said in his blog.

"As a former member of the W3C Technical Architecture Group, I must also say that I’m particularly worried about how this technique is misusing the way that the web works, specifically in the part where the cookies are leaking. In a way, this is the new low."

Send us news
57 Comments
Get our Security newsletter

Seeing a robot dog tagging along with NYPD officers after an arrest stuns New Yorkers

Plus: 'First civil lawsuit' against police for incorrect facial recognition match in wrongful collaring, and more

In brief Bystanders in New York City were stunned this week when cops left a public housing complex with a handcuffed man and a robot law enforcement dog trotting after them.

The four-legged machine – shown below – was built by Boston Dynamics, and has been dispatched to crime scenes across the American metropolis since October, according to Gothamist.

Continue reading

Google's FLoC flies into headwinds as internet ad industry braces for instability

Reinventing web advertising tech at a time of heightened privacy concern proves difficult

Analysis With Google testing its FLoC ad technology in preparation for the planned elimination of third-party cookies next year, uncertainty about potential problems and growing legal support for privacy is shaking up the digital ad industry.

The move away from third-party cookies will have significant financial impact on the ad industry, and the internet ecosystem that depends on advertising – assuming you accept studies that credit third-party cookies with meaningful [PDF] rather than minimal [PDF] revenue.

"Our analysis suggests that the publishing industry will have to replace up to $10 billion in ad revenue with a combination of first-party data gathered through a combination of paywalls and required registrations, and updated contextual targeting and probabilistic audience modeling (analytics that incorporate an array of unknown elements)," said consultancy McKinsey in a recent report.

Continue reading

Elon Musk's SpaceX bags $3bn NASA contract to, fingers crossed, land first woman on the Moon

And the 13th guy

NASA today announced the next US lunar mission will use SpaceX's HLS Starship to put American astronauts on the Moon's surface.

Elon Musk's rocketry biz thus scoops a $2.89bn contract to put the first woman and the 13th man on the Moon as part of the American space agency's Artemis program. NASA will use its own much-delayed SLS booster to launch four astronauts into orbit and make the trans-lunar injection burn – pointing them Moon-ward, basically – and then two of the 'nauts will transfer to SpaceX hardware to touch down.

“This is an exciting time for NASA and especially the Artemis team,” said Lisa Watson-Morgan, program manager for HLS at NASA’s Marshall Space Flight Center in Huntsville, Alabama.

Continue reading

Pentagon confirms footage of three strange craft taken by the Navy are UFOs (no, that doesn't mean they're aliens)

Unless by aliens you mean Russians

Photos and videos taken by US Navy officers of strange-shaped aircraft streaming across our skies a couple of years ago have been officially labelled as unidentified flying objects by Uncle Sam.

The first clip, filmed in night-vision, features a cone-shaped object blinking in the sky across an eerie green sky. In a second incident, pilots captured a device that rotated as it flew, and in the third image an object hovered in front, CNN reported.

Sue Gough, a spokeswoman for the Pentagon, referred to those objects as being shaped like a “sphere,” or “acorn" and called the last one a "metallic blimp." All the footage was taken by the Navy, and Gough confirmed the content was being investigated by the US government's Unidentified Aerial Phenomena (UAP) Task Force, a special unit focused on probing UFOs, which is led by the Navy and was created in August.

Continue reading

Ex IBM sales manager, fired after battling discrimination against subordinates, wins $11m lawsuit

Big Blue, insisting it doesn't condone retaliation or discrimination, may appeal

On Thursday, a federal jury in Seattle, Washington, found that former IBM sales manager Scott Kingston had been unlawfully fired by the company and denied sales commission after challenging the treatment of subordinates as racially biased. And it awarded him $11.1m.

The case dates back to 2017 when two IBM sales people within months of each other closed similarly large software sales deals that led to vastly different commission payments. Nick Donato, who is White, received more than $1m for a SAS Institute deal, while Jerome Beard, who is Black, was paid about $230,000 for closing a sale to HCL Technologies.

Beard was paid about 15 per cent of what he should have received under his agreement with IBM, despite a company policy not to cap sales commissions.

Continue reading

Docker Desktop for Apple Silicon is here, but probe a little deeper and you'll find Rosetta 2 staring back

Prepare yourself for an onslaught of 'you're holding the container wrong'

Docker Desktop for Apple Silicon has been released, although it's not quite the seamless conversion some may expect.

Declaring that getting Docker Desktop working on Apple's M1 chip as "by far our most upvoted roadmap item ever," the company is naturally chuffed that container fans selecting Apple's latest hardware can now also crank out code using its tooling.

Rosetta 2, aimed at getting x64 apps up and running on Apple Silicon, only goes so far and to get the virtual machine that lurks beneath the hood of Docker Desktop, the company had to make the jump to Apple's new hypervisor framework as well as deal with all the associated plumbing.

Continue reading

Age discrimination class-action against HP and HPE gets green light to proceed

Old people were let go while the CEO was talking about hiring a bunch of young people, says complaint

Former HP workers who allege they were dismissed in order to clear a path for younger employees have been granted certification [PDF] for their proposed collective action by a California district court.

In their original complaint, the plaintiffs accused HPE and spin-off HP of violating federal and California age discrimination laws during a period of corporate restructuring by pushing out older workers while aggressively hiring younger ones.

According to the filing, they claimed this demographic shake-up started in 2012, and continued in the years following the late 2015 separation of HP. More importantly, they claim it wasn't an accident, but rather driven by a conscious decision by then-CEO Meg Whitman, who was cited as expressing a desire to hire "a whole host of young people" and make the company "younger" during a securities analysts meeting in 2013.

Continue reading

Russian infosec firm Positive Technologies trying to stay positive after US sanctions

Company insists it's a legit operator that's here to help

Positive Technologies has hit back at the US government's "groundless accusations" that it helped the Russian state carry out cyber attacks against the West – by highlighting how "government agencies of different countries" use its products.

Yesterday the US Treasury declared that Positive was selling weaponised infosec tech to the Russian government and ran recruiting events for state hacking agencies, which some Western news outlets have interpreted as meaning the company's flagship Positive Hack Days events.

Rejecting all this in a lengthy statement posted to its website this afternoon, Positive said: "Our global mission is to create products and technologies to improve cybersecurity around the world and to ensure conditions for the most efficient prevention of cyberattacks for the benefit of society, business, and government agencies."

Continue reading

Fridges... in... Spaaaaaaace: Engineers book ride on the Vomit Comet to test astro-refrigerator

It's floaty floaty vom time as boffins plan prototype cooler spin on modded 727

Boffins are set to get a ride on the Zero Gravity Corporation's "weightless research lab" to test a refrigerator designed for jaunts to orbit, the Moon or even Mars.

The engineers from Purdue University, Air Squared and Whirlpool are working on a refrigerator that will function in different orientations as well as the one more suited to domestic kitchens on Earth. The idea is to give astronauts access to food not necessarily freeze-dried or squirted out of a packet (and liberally dosed with hot sauce.)

Continue reading

Oh hello. Haven't heard much from you lately: Linux veteran Slackware rides again with a beta of version 15

It's time to move on from 2016

From the department of "I'm not dead yet" comes news of a Slackware 15 beta release, nearly five years after the distribution last saw a major update.

Created by Patrick Volkerding (who still lays claim to the title Benevolent Dictator For Life), the current release version arrived in the form of 2016's 14.2.

While there have been some rumblings over the years, the lengthy absence of a full new version hinted that all might not be well with one of the oldest Linux distributions and its band of contributors.

Continue reading

Microsoft received almost 25,000 requests for consumer data from law enforcement over the past six months

25% were rejected, and it's less than 2013's figure... but be wary of what Redmond does with your information

Microsoft has had a busy six months if its latest biannual digital trust report is anything to go by as law enforcement agencies crept closer to making 25,000 legal requests.

Requests for consumer data reached 24,798 during the second half of 2020, up from 24,093 during the previous six-month period, and quite a jump from the 21,781 for the same period in 2019.

"Non-content data" requests, which require a subpoena (or local equivalent), accounted for just over half of disclosures and were slightly down on the same period in 2019. Microsoft rejected 25.81 per cent of requests in the last six months of 2020, up on the 20.14 per cent of the same period in 2019.

Continue reading