As browser manufacturers constantly limit third-party tracking, advertising technology companies are increasingly adopting a DNS technique to evade such defenses, thus posing a threat to web security and privacy.
Called Cloaking CNAME, the practice of blurring the distinction between primary and third-party cookies not only results in the leakage of sensitive private information without the knowledge and consent of users, but also “increases [the] the threat of web security, “said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen and Tom Van Goethem in a new study.
“This tracking scheme takes advantage of a CNAME record on a subdomain, so that it is the same as that of the included website,” the researchers said in the newspaper. “As such, defenses that block third-party cookies are ineffective.”
The results are expected to be presented in July at the 21st Symposium on Privacy Enhancing Technologies (PETS 2021).
Increasing anti-prosecution measures
Over the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to reduce third-party tracking.
Apple introduced the ball with a Safari feature called Smart Tracking Protection (ITP) in June 2017, setting a new standard for desktop and mobile privacy to reduce tracking on multiple sites by “further limiting cookies and of other data of the website ”. Two years later, the iPhone maker outlined a separate plan called “Ad Click Ad Privacy” to make online advertising private.
Mozilla then began blocking third-party cookies in Firefox by default starting in September 2019 with a feature called Enhanced Tracing Protection (ETP), and in January 2020, Microsoft’s Chromium-based Edge browser followed suit. Subsequently, at the end of March 2020, Apple updated ITP with the complete blocking of third-party cookies, among other features designed to counteract connection fingerprints.
Although Google earlier this year announced plans to phase out cookies and third-party trackers in Chrome in favor of a new framework called a “privacy sandbox,” it is not expected to run until 2022.
Meanwhile, the search giant has been actively working with advertising technology companies on a proposed replacement called “Dovekey” that aims to supplement the functionality of multi-site tracking by using privacy-focused technologies to run personalized ads on the web.
Cloaking CNAME as an anti-tracking evasion system
In the face of these barriers to removing cookies to increase privacy, marketers have begun to look for alternative ways to evade the absolutist position taken by browser manufacturers against tracking on multiple sites.
Enter canonical name cloaking (CNAME), where websites use primary subdomains as aliases for third-party tracking domains through CNAME records in their DNS configuration to bypass tracking blockers.
CNAME records in DNS allow one domain or subdomain to be mapped to another (ie an alias), making them an ideal way to smuggle tracking code under the guise of a primary subdomain.
“This means that a site owner can configure one of their subdomains, such as sub.blog.example, to resolve to thirdParty.example, before resolving to an IP address,” explains WebKit security engineer John Wilander. “This happens under the web layer and is called CNAME cloaking – the third domainParty.example is covered as sub.blog.example and thus has the same powers as the real first partner.”
In other words, CNAME cloaking makes the tracking code appear to be the first, when in fact it is not, the resource being resolved by a CNAME that differs from the first party domain.
Not surprisingly, this tracking scheme is quickly gaining traction, rising by 21% in the last 22 months.
Cookies present sensitive information to followers
The researchers, in their study, found that this technique is used on 9.98% of the first 10,000 websites, in addition to the discovery of 13 providers of such “tracking services” on 10,474 websites.
Moreover, the study cites a “targeted treatment of the Apple Safari web browser” in which the advertising technology company Criteo specifically switched to CNAME cloaking to circumvent the privacy protections in the browser.
Given that Apple has already launched some lifetime-based defenses to cover CNAME, this ascertainment it is more likely to reflect devices that do not run iOS 14 and macOS Big Sur, which supports the feature.
Perhaps the most worrying of the disclosures is that cookie data leaks were found on 7,377 sites (95%) of the 7,797 sites that used CNAME tracking, all of which sent cookies that they contain private information such as full names, locations, email addresses and even authentication cookies to trackers of other domains without the explicit statement of the user.
“In fact, it’s ridiculous, because why would the user accept that a third-party tracker receive totally unrelated data, including sensitive and private ones?”
With many CNAME trackers included over HTTP as opposed to HTTPS, researchers are also raising the possibility that a request to send analytics data to the tracker may be intercepted by a malicious adversary in what is a man-in-the-middle attack ( MitM).
Moreover, the increased attack area represented by the inclusion of a tracker as the same site could expose the data of website visitors to the session fixation and to scripting attacks between sites, he warns.
The researchers said they worked with tracking developers to address the issues mentioned above.
Mitigation of the CNAME coating
While Firefox does not prohibit concealing CNAME from the box, users can download an add-on, such as uBlock Origin, to block such forks from the first part. In fact, the company started yesterday to launch Firefox 86 with Total Cookie Protection, which prevents inter-site tracking through “confin[ing] all cookies on each website in a separate cookie jar. “
On the other hand, Apple’s iOS 14 and macOS Big Sur come with additional warranties that rely on its ITP feature to protect CNAME cloaking from third parties, although it doesn’t provide a way to disassemble and lock the tracker’s domain. right from the start .
“ITP now detects third-party CNAME cloaking requests and limits the expiration of any cookies set in the HTTP response to seven days,” Wilander said in a note written in November 2020.
So did the Brave browser, which last week had to launch emergency fixes for an error that occurred as a result of adding the CNAME-based ad blocking feature and, in the process, sent queries for .onion domains to DNS resolvers public internet rather than via Tor nodes.
Chrome (and by extension, other Chromium-based browsers) is the only obvious omission, as it doesn’t natively block CNAME coverage, nor does it make it easier for third-party extensions to resolve DNS queries by retrieving CNAME records before a request be sent unlike Firefox.
“Emerging CNAME tracking technique […] avoid anti-prosecution measures, “Olejnik said.” Introduce serious security and privacy issues. User data is leaked, constantly and consistently, without the user’s awareness or consent. This is likely to trigger the GDPR and ePrivacy clauses. “
“In a way, this is the new low level,” he added.