Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.
In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021), KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem delve into increasing adoption of CNAME-based tracking, which abuse DNS records to erase the distinction between first-party and third-party contexts.
“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site,” the paper explains. “As such, defenses that block third-party cookies are rendered ineffective.”
A technique known as DNS delegation or DNS aliasing has been known since at least 2007 and showed up in privacy-focused research papers in 2010 [PDF] and 2014 [PDF]. Based on the use of CNAME DNS records, the counter anti-tracking mechanism drew attention two years ago when open source developer Raymond Hill implemented a defense in the Firefox version of his uBlock Origin content blocking extension.
CNAME cloaking involves having a web publisher put a subdomain – e.g. trackyou.example.com – under the control of a third-party through the use of a CNAME DNS record. This makes a third-party tracker associated with the subdomain look like it belongs to the first-party domain, example.com.
The boffins from Belgium studied the CNAME-based tracking ecosystem and found 13 different companies using the technique. They claim that the usage of such trackers is growing, up 21 per cent over the past 22 months, and that CNAME trackers can be found on almost 10 per cent of the top 10,000 websites.
What’s more, sites with CNAME trackers have an average of about 28 other tracking scripts. They also leak data due to the way web architecture works. The researchers found cookie data leaks on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking. Most of these were the result of third-party analytics scripts setting cookies on the first-party domain.
Not all of these leaks exposed sensitive data but some did. Out of 103 websites with login functionality tested, the researchers found 13 that leaked sensitive info, including the user’s full name, location, email address, and authentication cookie.
“This suggests that this scheme is actively dangerous,” wrote Dr Lukasz Olejnik, one of the paper’s co-authors, an independent privacy researcher, and consultant, in a blog post. “It is harmful to web security and privacy.”
In addition, the researchers report that ad tech biz Criteo switches specifically to CNAME tracking – putting its cookies into a first-party context – when its trackers encountered users of Safari, which has strong third-party cookie defenses.
According to Olejnik, CNAME tracking can defeat most anti-tracking techniques and there are few defenses against it.
Chrome falls short because it does not have a suitable DNS-resolving API for uBlock Origin to hook into. Safari will limit the lifespan of cookies set via CNAME cloaking but doesn’t provide a way to undo the domain disguise to determine whether the subdomain should be blocked outright.