Security

What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Study sees increasing adoption of cloaking to bypass cookie barriers


Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.

In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Wouter Joosen, and Tom Van Goethem, and privacy consultant Lukasz Olejnik, delve into increasing adoption of CNAME-based tracking, which abuses DNS records to erase the distinction between first-party and third-party contexts.

"This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site," the paper explains. "As such, defenses that block third-party cookies are rendered ineffective."

The web security model is based on what's known as the same-origin policy. Resources that have the same origin, or domain, are afforded a higher level of trust than resources available elsewhere, at a different origin or domain. That's why websites can set and access their own (first-party) cookies in a visitor's browser, for example, and shouldn't be able to access cookies associated with a different domain (third-party).

While online publishers have been happy to allow advertisers to run third-party tracking code on their websites to collect data and follow people as they visit different websites, internet users and privacy-focused web browsers have ramped up privacy defenses over the past few years to limit the application of web-based tracking.

We will track you

Advertising technology companies have a history of figuring out ways around such barriers, however. Recall Google's efforts to override Safari's third-party cookie settings, which elicited an inconsequential $22.5m fine from the FTC in 2012.

Now, with the increasingly effective cookie cordons being erected in privacy-focused browsers like Brave, Firefox, and Safari, marketers have stepped up efforts to evade anti-tracking measures.

A technique known as DNS delegation or DNS aliasing has been known since at least 2007 and showed up in privacy-focused research papers in 2010 [PDF] and 2014 [PDF]. Based on the use of CNAME DNS records, the counter anti-tracking mechanism drew attention two years ago when open source developer Raymond Hill implemented a defense in the Firefox version of his uBlock Origin content blocking extension.

Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm

READ MORE

CNAME cloaking involves having a web publisher put a subdomain – e.g. trackyou.example.com – under the control of a third-party through the use of a CNAME DNS record. This makes a third-party tracker associated with the subdomain look like it belongs to the first-party domain, example.com.

The boffins from Belgium studied the CNAME-based tracking ecosystem and found 13 different companies using the technique. They claim that the usage of such trackers is growing, up 21 per cent over the past 22 months, and that CNAME trackers can be found on almost 10 per cent of the top 10,000 websites.

What's more, sites with CNAME trackers have an average of about 28 other tracking scripts. They also leak data due to the way web architecture works. The researchers found cookie data leaks on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking. Most of these were the result of third-party analytics scripts setting cookies on the first-party domain.

Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user's full name, location, email address, and authentication cookie.

"This suggests that this scheme is actively dangerous," wrote Dr Lukasz Olejnik, one of the paper's co-authors, in a blog post. "It is harmful to web security and privacy."

Advertising war's collateral damage

CNAME tracking was found to introduce two security vulnerabilities in undisclosed vendors' implementations by making websites vulnerable to session fixation and cross-site scripting attacks. One of the vendors responded to mitigate the issue; the other did not, the paper says.

One unidentified vendor's tracker created a vulnerability through a function designed to extend the life of first-party advertising and analytics cookies, such as Facebook’s _fbp cookie and Google Analytics' _ga cookie. The vendor's mechanism for doing so failed to provide sufficient validation, enabling a session fixation attack, which is a way of hijacking a browsing session. It could allow, for example, an attacker to make purchases using the victim's credit card.

A different CNAME tracking vendor was found to provide a way to link a user's email to the user's browser fingerprint – a hash based on various measurable browser characteristics.

"This email address is later reflected in a dynamically generated script that is executed on every page load, allowing the website to retrieve it again, even if the user would clear their cookies," the paper explains. "However, because the value of the email address is not properly sanitized, it is possible to include an arbitrary JavaScript payload that will be executed on every page that includes the tracking script."

In addition, the researchers report that ad tech biz Criteo switches specifically to CNAME tracking – putting its cookies into a first-party context – when its trackers encountered users of Safari, which has strong third-party cookie defenses.

According to Olejnik, CNAME tracking can defeat most anti-tracking techniques and there are few defenses against it.

Firefox running the add-on uBlock Origin 1.25+ can see through CNAME deception. So too can Brave, which recently had to repair its CNAME defenses due to problems it created with Tor.

Chrome falls short because it does not have a suitable DNS-resolving API for uBlock Origin to hook into. Safari will limit the lifespan of cookies set via CNAME cloaking but doesn't provide a way to undo the domain disguise to determine whether the subdomain should be blocked outright.

"Because today most anti-tracking works on the principle of filter lists (pattern matching of HTTP requests), the CNAME scheme effectively renders such defenses ineffective," Olejnik said in his blog.

"As a former member of the W3C Technical Architecture Group, I must also say that I’m particularly worried about how this technique is misusing the way that the web works, specifically in the part where the cookies are leaking. In a way, this is the new low."

Send us news
57 Comments

In-app browsers are still a privacy, security, and choice problem

Regulators reminded that longstanding concerns haven't been addressed

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Google gooses Safe Browsing with real-time protection that doesn't leak to ad giant

Rare occasion when you do want Big Tech to make a hash of it

We talk to W3C board vice-chair Robin Berjon about the InterPlanetary File System

The decentralized web is alive and well despite Web3 financial scheming

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Canva acquires Affinity, further wounding a regulator-bruised Adobe

Yet another reason to reconsider that overpriced Creative Cloud subscription

AI models show racial bias based on written dialect, researchers find

Those using African American vernacular more likely to be sentenced to death, if LLMs were asked to decide

US critical infrastructure cyberattack reporting rules inch closer to reality

After all, it's only about keeping the essentials on – no rush

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are