The ad tech industry has always been at loggerheads with the providers of tracking blocker apps. This battle has intensified in recent years as browsers are taking a tougher pro-privacy or anti-tracker stance, although existing countermeasures to curb third-party tracking don’t seem to be enough.
The new threat
Recently, a CNAME-based tracking technique has been observed gaining traction.
- The tracking evasion scheme named CNAME cloaking has been increasingly used to bypass browsers' anti-tracking defenses.
- This technique evades anti-tracking measures on most widely-used browsers.
- This method leverages the CNAME records on a subdomain in such a manner that it appears to be the same site. Thus, it can bypass the defense systems that block third-party cookies.
- Apart from creating serious security and privacy issues, this technique leads to session fixation and persistent cross-site scripting (XSS) vulnerabilities, potentially opening users and publishers to attacks and massive cookie leaks.
Several attack methods have been discovered lately that could risk and steal user tracking data.
- An attacker was observed using Supercookie to get to users’ favicon cache data, which stores information about users, such as the subdomain, domain, route, URL parameter of the visited websites, the time to live, and favicon ID.
- A new cross-layer attack technique was discovered that could exploit a weakness in the Pseudo-Random Number Generator (PRNG) of the Linux kernel, and use it to expose millions of Android device users for tracking.
Some anti-tracking initiatives
Since the past few years, the most widely-used browsers have been introducing new anti-tracking features to block known trackers, third-party tracking cookies, and crypto mining scripts.
- First on the list is the Firefox browser that has released several updates and features, such as redirect tracking blocking, and several others to enhance cookies protection capabilities.
- Chromium-based Brave browser has introduced privacy/anti-tracking features such as CNAME-based ad blocking, temporary removal of Google’s Reporting API, browser fingerprint randomization, and protection against query parameter tracking.
- Safari has adopted the Intelligent Tracking Prevention (ITP) feature to employ anti-fingerprinting protection and block all third-party cookies by default.
The existing anti-tracking mechanisms are introduced as built-in features in browsers, as a DNS resolver, or deployed as a browser extension. Consequently, CNAME cloaking is rapidly gaining traction, especially among high-traffic websites. Thus, to clamp down on online trackers, the creation of alternative technologies or standards has become a necessity. Till then, the websites using CNAME trackers should take extra precautions to avoid such harm.