Online Trackers Are Now Shifting To New Invasive CNAME Cloaking Technique
More and more browser developers are constantly pushing harder to shift to third-party tracking, whereas organizations of advertising technology are now relying on a new DNS method to exploit these defenses resulting in threats and risks to user privacy and web security.
A bunch of researchers including Guner Acar, Wouter Joosen, Yana Dimova, Lukasz Olenjnik, and Tom Van Goethem said, that, this new technique, named CNAME Cloaking, makes the distinction unclear among the first and third-party cookies which leads to the leaking of private, confidential and sensitive data without the user’s permission or knowing about it. It also further expands the surface for web security threats and potential risks.
Researchers stated that “This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site. As such, defenses that block third-party cookies are rendered ineffective.”
Except for Google Chrome, almost all other popular browsers have already added countermeasures against third-party tracking, in recent four years. Apple did this, around June 2017, by using a feature in Safari known as the ITP (Intelligent Tracking Protection), which resulted in building a completely new standard for mitigating cross-site tracking on mobile phones and desktops. It also led to the limiting of cookies and website data. Later a completely different strategy, named Privacy Presenting Ad Click Attribution, was highlighted by makers of the iPhone with an aim to make online advertisements private.
In September 2019, a service known as the ETP (Enhanced Tracking Protection) was utilized by Mozilla in order to block or prevent third-party cookies, which was further mimicked by Microsoft’s Edge browser around January 2020. Later in 2020, around March, Apple updated the ITP for complete blocking of third-party cookies, however, the update also included other services which were meant to prevent login fingerprinting.
However, Google in early 2020, published their strategy to release tracker and third-party cookies, with regards to a completely new system known as the Privacy Sandbox and is expected to be released in or around 2022. But until it is released, Google is constantly working with advertisement organizations on an alternative, dubbed as Dovekey, which will replace the services offered by cross-site tracking utilizing privacy-centered techs to offer only personalized advertisements over the web.
In an era where cookie-killing barriers are being utilized to elevate privacy, organizations from advertisement sectors have started the search for alternative ways to exploit this defense being adopted by developers in response to cross-site tracking.
Researchers said that they reported, “on a large-scale longitudinal evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, effectively bypassing anti-tracking measures that use fixed hostname-based blocklists.”
Mapping of a domain or subdomain to another one is supported by CNAME records in DNS, which results in CNAME records being an ideal method to steal tracking codes while representing themselves as a subdomain of first-party. John Wilander, the WebKit security engineer said, “This means a site owner can configure one of their subdomains, such as sub.blog.example, to resolve to a thirdparty.example, before resolving to an IP address. This happens underneath the web layer and is called CNAME cloaking the thirdParty.example domain is cloaked as sub.blog.example and thus has the same powers as the true first-party.”
All in all, CNAME cloaking makes the tracking code to resemble its first-party when indeed, it isn’t, with the asset settling through a CNAME that contrasts from that of the first party domain.
Of course, this following plan is quickly acquiring footing, developing by 21% in the course of recent months.
The specialists, in their examination, discovered this method being utilized on 9.98% of 10,000 top sites, notwithstanding uncovering 13 suppliers of such following services on 10,474 sites.
Likewise, the examination refers to direct treatment of Apple’s internet browser Safari wherein advertisement tech organization Criteo exchanged explicitly to CNAME cloaking to sidestep privacy assurances in the browser.
However, Apple already released some life expectancy-based guards for CNAME cloaking, this discovery is probably going to be more reflective on gadgets that don’t run iOS 14 and macOS Big Sur, which uphold this service.
The most alarming of the disclosures is that cookie information spills were found on over 7,375 websites out of the 7,797 websites which utilized CNAME tracking, which sent cookies containing private data like complete names, email addresses, areas, and even the validation cookies to trackers of different domains without the client’s unequivocal confirmation.
Olejni says “It is actually ridiculous even, because why would the user consent to a third-party tracker receiving totally unrelated data, including of sensitive and private nature.”
With numerous CNAME trackers involved over HTTP instead of HTTPS, the scientists additionally raise the likelihood that a solicitation sending examination information to the tracker could be blocked by a malevolent foe in what is called a man-in-the-middle (MitM) assault.
The researchers claimed that they worked with the tracker engineers to address the previously mentioned issues.
Since Firefox does not boycott CNAME cloaking, clients can install an extra like uBlock Origin to impede such slippery first-party trackers. Unexpectedly, the organization yesterday started turning out Firefox 86 with Total Cookie Protection that forestalls cross-site tracking by blocking all cookies from every site in a different cookie container.
Then again, Apple’s iOS 14 and macOS Big Sur accompany extra protections that expand upon its ITP highlight to shield third-party CNAME cloaking, despite the fact that it doesn’t offer a way to expose the tracker domain and confine it directly at the beginning.
The Brave browser also does the same, which a week ago was forced to deliver fixes for a bug that originated because of adding CNAME-based advertisement obstructing service and in the process sent inquiries for .onion domains to public web DNS resolvers as opposed to through Tor nodes.
Chrome is the lone glaring exclusion, as it not only does not block CNAME clocking but also makes it simple for third-party extensions to determine DNS inquiries by extracting the CNAME records before a solicitation is sent, which is not normal for Firefox.
Olejni said that “The emerging CNAME tracking technique evades anti-tracking measures. It introduces serious security and privacy issues. User data is leaking, persistently and consistently, without user awareness or consent. This likely triggers GDPR and ePrivacy related clauses. In a way, this is the new low.”