With browser makers steadily clamping down on third-party
tracking, advertising technology companies are increasingly
embracing a DNS technique to evade such defenses, thereby posing a
threat to web security and privacy.
Called CNAME Cloaking[1], the practice of
blurring the distinction between first-party and third-party
cookies not only results in leaking sensitive private information
without users’ knowledge and consent but also “increases [the] web
security threat surface,” said a group of researchers Yana Dimova,
Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in
the latest research.
“This tracking scheme takes advantage of a CNAME record on a
subdomain such that it is same-site to the including web site,” the
researchers said[2]
in the paper. “As such, defenses that block third-party cookies are
rendered ineffective.”
The findings are expected to be presented in July at the 21st
Privacy Enhancing Technologies Symposium (PETS 2021).
Rise of Anti-Tracking Measures
Over the past four years, all major browsers, with the notable
exception of Google Chrome, have included countermeasures to curb
third-party tracking.
Apple set the ball rolling with a Safari feature called
Intelligent Tracking Protection (ITP[3]) in June 2017, setting a
new privacy standard on desktop and mobile to reduce cross-site
tracking by “further limiting cookies and other website data.” Two
years later, the iPhone maker outlined a separate plan dubbed
“Privacy Preserving Ad Click
Attribution[4]” to make online ads
private.
Mozilla then began blocking third-party cookies[5] in Firefox by default as
of September 2019 through a feature called Enhanced Tracking
Protection (ETP), and in January 2020, Microsoft’s Chromium-based
Edge browser followed suit[6]. Subsequently, in late
March 2020, Apple updated ITP with full third-party cookie blocking[7], among other features
aimed at thwarting login fingerprinting.
Although Google early last year announced plans to phase out
third-party cookies and trackers in Chrome in favor of a new
framework called the “privacy sandbox[8],” it’s not expected to
go live until some time in 2022.
In the meantime, the search giant has been actively working with
ad tech companies on a proposed replacement called “Dovekey[9]” that looks to supplant
the functionality served by cross-site tracking using
privacy-centered technologies to serve personalized ads on the
web.
CNAME Cloaking as an Anti-Tracking Evasion Scheme
In the face of these cookie-killing barriers to enhance privacy,
marketers have begun looking for alternative ways to evade the
absolutist stance taken by browser makers against cross-site
tracking.
Enter canonical name (CNAME) cloaking, where websites use
first-party subdomains as aliases for third-party tracking domains
via CNAME records in their DNS configuration in order to circumvent
tracker-blockers.
CNAME records[10] in DNS allow for
mapping a domain or subdomain to another (i.e., an alias), thus
making them an ideal means to smuggle tracking code under the guise
of a first-party subdomain.
“This means a site owner can configure one of their subdomains,
such as sub.blog.example, to resolve to thirdParty.example, before
resolving to an IP address,” WebKit security engineer John Wilander
explains. “This happens underneath the web layer and is called
CNAME cloaking — the thirdParty.example domain is cloaked as
sub.blog.example and thus has the same powers as the true
first-party.”
In other words, CNAME cloaking makes tracking code look like
it’s first-party when in fact, it is not, with the resource
resolving through a CNAME that differs from that of the first party
domain.
Not surprisingly, this tracking scheme is rapidly gaining
traction, growing by 21% over the past 22 months.
Cookies
Leak Sensitive Information to
Trackers
The researchers, in their study, found this technique to be used
on 9.98% of the top 10,000 websites, in addition to uncovering 13
providers of such tracking “services” on 10,474 websites.
What’s more, the study cites a “targeted treatment of Apple’s
web browser Safari” wherein ad tech company Criteo switched
specifically to CNAME cloaking to bypass privacy protections in the
browser.
Given that Apple has already rolled out some lifespan-based defenses[11] for CNAME cloaking,
this finding[12] is likely to be more
reflective of devices that don’t run iOS 14 and macOS Big Sur,
which support the feature.
Perhaps the most troubling of the revelations is that cookie
data leaks were found on 7,377 sites (95%) out of the 7,797 sites
that used CNAME tracking, all of which sent cookies containing
private information such as full names, locations, email addresses,
and even the authentication cookies to trackers of other domains
without the user’s explicit affirmation.
“It is actually ridiculous even, because why would the user
consent to a third-party tracker receiving totally unrelated data,
including of sensitive and private nature?,” asks[13] Olejnik.
With many CNAME trackers included over HTTP as opposed to HTTPS,
the researchers also raise the possibility that a request sending
analytics data to the tracker could be intercepted by a malicious
adversary in what’s a man-in-the-middle (MitM) attack.
Furthermore, the increased attack surface posed by including a
tracker as same-site could expose the data of a website’s visitors
to session fixation[14] and cross-site
scripting attacks, they caution.
The researchers said they worked with the tracker developers to
address the aforementioned issues.
Mitigating CNAME Cloaking
While Firefox doesn’t ban CNAME cloaking[15] out of the box, users
can download an add-on like uBlock Origin to block such sneaky
first-party trackers. Incidentally, the company yesterday began
rolling out Firefox 86 with Total Cookie Protection[16] that prevents
cross-site tracking by “confin[ing] all cookies from each website
in a separate cookie jar.”
On the other hand, Apple’s iOS 14 and macOS Big Sur come with
additional safeguards that build upon its ITP feature to shield
third-party CNAME cloaking, although it doesn’t offer a means to
unmask the tracker domain and block it right at the outset.
“ITP now detects third-party CNAME cloaking requests and caps
the expiry of any cookies set in the HTTP response to seven days,”
Wilander detailed in a write-up in November 2020.
So does Brave browser[17], which last week had to
release emergency fixes[18] for a bug that stemmed
as a result of adding CNAME-based ad-blocking feature and in the
process sent queries for .onion domains to public internet DNS
resolvers rather than through Tor nodes.
Chrome (and by extension, other Chromium-based browsers) is the
only glaring omission, as it neither blocks CNAME cloaking natively
nor makes it easy for third-party extensions to resolve DNS queries
by fetching the CNAME records before a request is sent unlike
Firefox.
“The emerging CNAME tracking technique […] evades
anti-tracking measures,” Olejnik said. “It introduces serious
security and privacy issues. User data is leaking, persistently and
consistently, without user awareness or consent. This likely
triggers GDPR and ePrivacy related clauses.”
“In a way, this is the new low,” he added.
References
- ^
CNAME
Cloaking (medium.com) - ^
said
(arxiv.org) - ^
ITP
(webkit.org) - ^
Privacy
Preserving Ad Click Attribution
(thenextweb.com) - ^
blocking
third-party cookies (thehackernews.com) - ^
followed
suit (docs.microsoft.com) - ^
full
third-party cookie blocking
(thehackernews.com) - ^
privacy
sandbox (thehackernews.com) - ^
Dovekey
(github.com) - ^
CNAME
records (www.cloudflare.com) - ^
lifespan-based defenses
(webkit.org) - ^
finding
(twitter.com) - ^
asks
(blog.lukaszolejnik.com) - ^
session fixation
(en.wikipedia.org) - ^
doesn’t ban CNAME cloaking
(bugzilla.mozilla.org) - ^
Total
Cookie Protection (blog.mozilla.org) - ^
Brave
browser (brave.com) - ^
release emergency fixes
(thehackernews.com)