Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.
In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem delve into increasing adoption of CNAME-based tracking, which abuse DNS records to erase the distinction between first-party and third-party contexts.
“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site,” the paper explains. “As such, defenses that block third-party cookies are rendered ineffective.”
The web security model is based on what’s known as the same-origin policy. Resources that have the same origin, or domain, are afforded a higher level of trust than resources available elsewhere, at a different origin or domain. That’s why websites can set and access their own (first-party) cookies in a visitor’s browser, for example, and shouldn’t be able to access cookies associated with a different domain (third-party).
While online publishers have been happy to allow advertisers to run third-party tracking code on their websites to collect data and follow people as they visit different websites, internet users and privacy-focused web browsers have ramped up privacy defenses over the past few years to limit the application of web-based tracking.
We will track you
Advertising technology companies have a history of figuring out ways around such barriers, however. Recall Google’s efforts to override Safari’s third-party cookie settings, which elicited an inconsequential $22.5m fine from the FTC in 2012.
Now, with the increasingly effective cookie cordons being erected in privacy-focused browsers like Brave, Firefox, and Safari, marketers have stepped up efforts to evade anti-tracking measures.
A technique known as DNS delegation or DNS aliasing has been known since at least 2007 and showed up in privacy-focused research papers in 2010 [PDF] and 2014 [PDF]. Based on the use of CNAME DNS records, the counter anti-tracking mechanism drew attention two years ago when open source developer Raymond Hill implemented a defense in the Firefox version of his uBlock Origin content blocking extension.
Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm
CNAME cloaking involves having a web publisher put a subdomain – e.g. trackyou.example.com – under the control of a third-party through the use of a CNAME DNS record. This makes a third-party tracker associated with the subdomain look like it belongs to the first-party domain, example.com.
The boffins from Belgium studied the CNAME-based tracking ecosystem and found 13 different companies using the technique. They claim that the usage of such trackers is growing, up 21 per cent over the past 22 months, and that CNAME trackers can be found on almost 10 per cent of the top 10,000 websites.
What’s more, sites with CNAME trackers have an average of about 28 other tracking scripts. They also leak data due to the way web architecture works. The researchers found cookie data leaks on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking. Most of these were the result of third-party analytics scripts setting cookies on the first-party domain.
Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user’s full name, location, email address, and authentication cookie.
“This suggests that this scheme is actively dangerous,” wrote Dr Lukasz Olejnik, one of the paper’s co-authors, an independent privacy researcher, and consultant, in a blog post. “It is harmful to web security and privacy.”
Advertising war’s collateral damage
CNAME tracking was found to introduce two security vulnerabilities in undisclosed vendors’ implementations by making websites vulnerable to session fixation and cross-site scripting attacks. One of the vendors responded to mitigate the issue; the other did not, the paper says.
One unidentified vendor’s tracker created a vulnerability through a function designed to extend the life of first-party advertising and analytics cookies, such as Facebook’s
_fbp cookie and Google Analytics’
_ga cookie. The vendor’s mechanism for doing so failed to provide sufficient validation, enabling a session fixation attack, which is a way of hijacking a browsing session. It could allow, for example, an attacker to make purchases using the victim’s credit card.
A different CNAME tracking vendor was found to provide a way to link a user’s email to the user’s browser fingerprint – a hash based on various measurable browser characteristics.
In addition, the researchers report that ad tech biz Criteo switches specifically to CNAME tracking – putting its cookies into a first-party context – when its trackers encountered users of Safari, which has strong third-party cookie defenses.
According to Olejnik, CNAME tracking can defeat most anti-tracking techniques and there are few defenses against it.
Chrome falls short because it does not have a suitable DNS-resolving API for uBlock Origin to hook into. Safari will limit the lifespan of cookies set via CNAME cloaking but doesn’t provide a way to undo the domain disguise to determine whether the subdomain should be blocked outright.
“Because today most anti-tracking works on the principle of filter lists (pattern matching of HTTP requests), the CNAME scheme effectively renders such defenses ineffective,” Olejnik said in his blog.
“As a former member of the W3C Technical Architecture Group, I must also say that I’m particularly worried about how this technique is misusing the way that the web works, specifically in the part where the cookies are leaking. In a way, this is the new low.”