With browser makers steadily tracking third parties, ad technology companies are increasingly embracing a DNS technique to bypass such defenses, posing a threat to web security and privacy.
Called CNAME Cloaking, the blurring of the distinction between first-party and third-party cookies not only leads to the leakage of sensitive private information without users’ knowledge and consent, but is also increasing [the] Internet security threat, “a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen and Tom Van Goethem said in a new study.
“This tracking scheme uses a CNAME record on a subdomain so that it is the same site as the inclusive website,” the researchers said in the paper. As such, defense mechanisms that block third-party cookies are ineffective.
The findings are expected to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021).
Increase in anti-tracking measures
In the past four years, all major browsers, with the exception of Google Chrome, have taken countermeasures to prevent third-party tracking.
Apple got the ball rolling with a Safari feature called Intelligent Tracking Protection (ITP) in June 2017, setting a new privacy standard for desktop and mobile to reduce cross-site tracking by “further restricting cookies and other website data” . Two years later, the iPhone maker outlined a separate plan called “Privacy Preservation Ad Click Attribution” to make online ads private.
Mozilla then began blocking third-party cookies in Firefox by default from September 2019 through a feature called Enhanced Tracking Protection (ETP), and in January 2020, Microsoft’s Chromium-based Edge browser followed suit. Subsequently, in late March 2020, Apple updated ITP with full third-party blocking of cookies, in addition to other features intended to thwart login fingerprints.
While Google announced plans early last year to phase out third-party cookies and trackers in Chrome in favor of a new framework dubbed the “privacy sandbox,” it isn’t expected to go live until sometime in 2022.
In the meantime, the search giant is actively working with ad technology companies on a proposed replacement called “Dovekey”, which seeks to replace cross-site tracking functionality using privacy-focused technologies to deliver personalized ads across the web.
CNAME cloaking as an anti-tracking avoidance program
In the face of these cookie-killing barriers to improving privacy, marketers have started looking for alternative ways to get around browser makers’ absolutist stance against cross-site tracking.
Enter canonical name (CNAME) cloaking, where websites use first-party subdomains as aliases for third-party tracking domains via CNAME records in their DNS configuration to bypass tracker blockers.
CNAME records in DNS allow one domain or subdomain to be assigned to another (i.e. an alias), making them an ideal means of smuggling tracking code under the guise of a first-party subdomain.
“This means that a site owner can configure one of their subdomains, such as sub.blog.example, to translate to thirdParty.example before going to an IP address,” explains WebKit security engineer John Wilander. “This happens under the web tier and is called CNAME cloaking – the thirdParty.example domain is camouflaged as sub.blog.example and thus has the same privileges as the real first-party.”
In other words, CNAME cloaking makes the tracking code look like it is a first-party when in fact it isn’t, resolving the resource via a CNAME different from the first-party domain.
Not surprisingly, this tracking schedule is rapidly gaining momentum, growing 21% over the past 22 months.
Cookies leak sensitive information to trackers
The researchers found in their study that this technique was used on 9.98% of the top 10,000 websites, in addition to discovering 13 providers of such “tracking” services on 10,474 websites.
In addition, the study calls a “targeted treatment of Apple’s web browser Safari,” where ad technology company Criteo specifically switched to CNAME cloaking to bypass privacy protections in the browser.
Considering that Apple has already rolled out some lifecycle-based defenses for CNAME cloaking, this is find is probably more reflective of devices not running iOS 14 and macOS Big Sur, which support the feature.
Perhaps the most disturbing of the disclosures is that cookie data leaks were found on 7,377 sites (95%) of the 7,797 sites using CNAME tracking, all of which sent cookies containing private information such as full names, locations, email addresses, and even the authentication cookies for trackers from other domains without the explicit confirmation of the user.
“In fact, it’s ridiculous, because why would the user agree to a third party tracker receiving totally unrelated data, including sensitive and private data?” Asks Olejnik.
With many CNAME trackers included over HTTP instead of HTTPS, the researchers are also raising the possibility that a request sending analytic data to the tracker could be intercepted by a malicious adversary in a ‘man-in-the-middle’ attack (MitM).
In addition, the larger attack surface created by including a tracker as the same site can expose a website’s visitors’ data to session fixation and cross-site scripting attacks, they warn.
The researchers said they have worked with the tracker developers to address the aforementioned issues.
Reduce CNAME concealment
While Firefox doesn’t prohibit CNAME cloaking out of the box, users can download an add-on like uBlock Origin to block such sneaky first-party trackers. By the way, yesterday the company started rolling out Firefox 86 with Total Cookie Protection that includes cross-site tracking by “confin[ing] all cookies from each website in a separate cookie jar. “
On the other hand, Apple’s iOS 14 and macOS Big Sur come with additional security measures that build on the ITP feature to shield third-party CNAME cloaking, although it provides no means to expose the tracker domain and right from the start to block. .
“ITP now detects CNAME cloaking requests from third parties and limits the expiration of all cookies set in the HTTP response to seven days,” Wilander said in a November 2020 article.
So does Brave browser, which last week had to release workarounds for a bug that resulted from the addition of a CNAME-based ad-blocking feature, sending queries for .onion domains to public DNS resolvers on the Internet in rather than via Tor nodes.
Chrome (and by extension other Chromium-based browsers) is the only blatant omission, as it doesn’t natively block CNAME cloaking, nor does it make it easy for third-party extensions to resolve DNS queries by fetching the CNAME records before a request is sent, unlike Firefox.
The emerging CNAME tracking technique […] “bypasses anti-tracking measures,” said Olejnik. “It introduces serious security and privacy concerns. User data leaks continuously and consistently, without the user’s knowledge or consent. This is likely to trigger GDPR and ePrivacy-related clauses.”
“In a way, this is the new low point,” he added.