With browser makers constantly cracking down on third-party tracking, advertising technology companies are increasingly adopting a DNS technique to evade such defenses, posing a threat to the security and privacy of the web.
Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in the leakage of confidential private information without users’ knowledge and consent, but also “increases [the] surface threat to the security of the web, “said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen and Tom Van Goethem in a new study.
“This tracking scheme takes advantage of a CNAME record in a subdomain in such a way that it is the same site as the included site,” said the researchers in the article. “As such, the defenses that block third-party cookies become ineffective.”
The findings are due to be presented in July at the 21st Symposium on Technologies to Improve Privacy (PETS 2021).
Increase in anti-tracking measures
In the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to contain third-party tracking.
Apple kicked off a Safari feature called Intelligent Tracking Protection (ITP) in June 2017, setting a new standard for privacy on desktops and mobile devices to reduce cross-site tracking by “further limiting cookies and other data from the website”. Two years later, the iPhone maker drew up a separate plan called “Click Attribution in Privacy Preservation Ads” to make online ads private.
Mozilla then started blocking third-party cookies in Firefox by default in September 2019 through a feature called Enhanced Tracking Protection (ETP), and in January 2020, Microsoft’s Chromium-based Edge browser did the same. Subsequently, in late March 2020, Apple updated the ITP with complete blocking of third-party cookies, among other features designed to prevent login fingerprints.
Although Google at the beginning of last year announced plans to discontinue third-party cookies and trackers in Chrome in favor of a new structure called a “privacy sandbox”, it is not expected to go live before 2022.
In the meantime, the search giant has been actively working with ad technology companies on a replacement proposal called “Dovekey”, which appears to supplant the functionality served by cross-site tracking using privacy-centric technologies to serve personalized ads on the web.
CNAME cloaking as an anti-tracking evasion scheme
Faced with these barriers to eliminating cookies to increase privacy, marketers began looking for alternative ways to escape the absolutist stance adopted by browser manufacturers against cross-site tracking.
Enter the canonical name cloaking (CNAME) technique, where sites use primary subdomains as aliases for third-party tracking domains through CNAME records in their DNS configuration to circumvent crawler blockers.
CNAME records in DNS allow you to map one domain or subdomain to another (that is, an alias), making them an ideal means of smuggling the tracking code in the guise of a primary subdomain.
“This means that a website owner can configure one of their subdomains, such as sub.blog.example, to resolve to thirdParty.example, before resolving to an IP address,” explains WebKit security engineer John Wilander. “This happens under the web layer and is called CNAME cloaking – the thirdParty.example domain is cloaked as sub.blog.example and therefore has the same powers as the real primary.”
In other words, the CNAME cloaking technique makes the tracking code look primary when, in fact, it is not, with the resource resolving through a CNAME different from that of the primary domain.
It is not surprising that this tracking scheme is rapidly gaining momentum, growing by 21% in the last 22 months.
Cookies leak sensitive information to trackers
The researchers, in their study, found that this technique can be used on 9.98% of the top 10,000 sites, as well as finding 13 providers of such tracking “services” on 10,474 sites.
Furthermore, the study cites a “targeted treatment of Apple’s Safari browser”, in which advertising technology company Criteo has specifically switched to CNAME camouflage to circumvent privacy protections in the browser.
Given that Apple has already launched some life-based defenses for CNAME camouflage, this finding it is likely to better reflect devices that do not run iOS 14 and macOS Big Sur, which support the feature.
Perhaps the most worrying of the revelations is that cookie data leaks were found on 7,377 sites (95%) of the 7,797 sites that used CNAME tracking, all of which sent cookies containing private information, such as full names, locations, email addresses. and even authentication cookies for trackers from other domains without the user’s explicit statement.
“In fact, it is even ridiculous, because why would the user allow a third-party tracker to receive totally unrelated data, including confidential and private data?”, Asks Olejnik.
With many CNAME trackers included in HTTP as opposed to HTTPS, researchers also raise the possibility that a request sending analytical data to the tracker could be intercepted by a malicious adversary in what is a man-in-the-middle (MitM) attack. .
In addition, the increased attack surface represented by the inclusion of a crawler as the same site can expose a site’s visitors’ data to session fixing and cross-site scripting attacks, they warn.
The researchers said they worked with the developers of the tracker to resolve the issues mentioned.
Mitigating CNAME camouflage
Although Firefox does not prohibit CNAME cloaking, users can download an add-on like uBlock Origin to block these stealthy primary trackers. By the way, the company started yesterday to deploy Firefox 86 with Total Cookie Protection, which prevents cross-site tracking by “confin[ing] all cookies from each website in a separate cookie jar. “
On the other hand, Apple’s iOS 14 and macOS Big Sur come with additional safeguards that are based on their ITP feature to protect the CNAME camouflage from third parties, although it does not offer a means to unmask the domain of the tracker and block it from the start start .
“The ITP now detects third party CNAME cloaking requests and limits the expiration of any cookie set in the HTTP response to seven days,” detailed Wilander in an article in November 2020.
The same is true of the Brave browser, which last week had to release emergency fixes for a bug that arose as a result of adding the CNAME-based ad blocking feature and, in the process, sent queries to .onion domains for DNS resolvers. Internet audiences rather than through us Tor.
Chrome (and, by extension, other Chromium-based browsers) is the only glaring omission, as it doesn’t block CNAME cloaking natively, nor does it make it easy for third-party extensions to resolve DNS queries by searching for CNAME records before a request is made. sent, unlike Firefox.
“The emerging CNAME tracking technique […] runs away from anti-tracking measures, “said Olejnik.” This presents serious security and privacy issues. User data is leaking persistently and consistently, without the user’s knowledge or consent. This probably triggers clauses related to GDPR and ePrivacy. “
“In a way, this is the new low,” he added.