As browser-makers move to defang third-party (tracking) cookies, marketers are increasingly switching to alternative tracking techniques. One of these is CNAME cloaking, which not only evades anti-tracking measures on most widely-used browsers but, according to researchers, it also introduces serious security and privacy issues.
Third-party cookies and anti-tracking protections
In 2019, Firefox was equipped with Enhanced Tracking Protection by default, blocking known trackers, third-party tracking cookies and cryptomining scripts. Social media trackers and tracking content in private Windows were added to that list a few months later. In August 2020, Firefox received a new protection feature to hamper redirect tracking. Last month, Firefox received protection against cache-based tracking “supercookies”.
On Tuesday, Mozilla released Firefox 86, and with it yet another new anti-tracking feature build into the browser’s Enhanced Tracking Protection (ETP): Total Cookie Protection.
“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” Mozillans Tim Huang, Johann Hofmann and Arthur Edelstein explained.
There are exceptions to that rule, though: cross-site cookies needed for non-tracking purposes (e.g., for single sign-on purposes). “Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting,” they noted.
Since its inception, the Chromium-based Brave browser introduced privacy/anti-tracking features such as a system for hiding privacy-harming page elements and third-party tracking ads, browser fingerprint randomization, default removal of common tracking parameters from URLs, protection against query parameter tracking, temporary removal of Google’s Reporting API, CNAME-based adblocking, etc.
Safari has its Intelligent Tracking Prevention feature that employs anti-fingerprinting protection (it presents a simplified version of the user’s system configuration to websites) and now effectively blocks all third-party cookies by default.
In early 2020, Google laid out a roadmap for making third party cookies obsolete by 2022, and works on creating alternative technologies/standards that will permit ad personalization without affecting user privacy.
CNAME cloaking dangers
According to researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem, CNAME cloaking is a tracking evasion scheme that is not new but is rapidly gaining in popularity.
The scheme takes advantage of a CNAME record on a subdomain.
“The tracker is injected in the first-party context, the context of the visited website. A website example.com is embedding the content of the form xxx.example.com. But in reality, this subdomain xxx.example.com is an alias for the tracker domain, the yyy.tracker.com, a separate domain hosted at a third-party server,” Lukasz Olejnik explained.
“This scheme works thanks to a DNS delegation. Most often it is a DNS CNAME record. The tracker technically is hosted in a subdomain of the visited website.”
And because most anti-tracking works on the principle of filter lists, the CNAME cloaking scheme effectively renders most browsers’ anti-tracking defenses ineffective, he notes.
“As of today, from the major web browser vendors only Firefox offers defenses. Since uBlock version 1.25 under Firefox, the extension dynamically resolves hosts and sanitizes such requests if a match is found. Such a measure does not work under Chrome because this web browser does not offer a way for extensions to dynamically resolve hostnames.”
What’s more, CNAME cloaking leads to session fixation and persistent cross-site scripting vulnerabilities, potentially opening users and publishers to attack, as well as massive cookie leaks.
“In 95% of cases of websites using this technique, we found cookies leaking to external tracker servers in an unsanctioned manner, invisible to the user. In some cases, we confirm that the leaked cookies contain private/sensitive data. All these likely trigger the violation of data protection regimes such as the GDPR, or maybe even the CCPA,” Olejnik concluded.
Educating yourself and your employees with Cyber Security Awareness Training is best way to start ensuring your business is protected from cyber-attacks.
Learn more about Cyber Security