Say my CNAME: Rise of sneaky adtech tactic poses threat to web security and privacy

Whack-a-mole game in play between trackers and ad blockers

Websites are making heavier use of a technology called CNAME tracking to get around ad blockers on the web – much to the detriment of both privacy and security on the web, a new study warns.

A group of computer scientists from KU Leuven in Belgium and an independent researcher, who was affiliated with the European data protection regulator, reports that this this tracking scheme is rapidly gaining traction, especially among high-traffic websites.

Trackers build behavioral-based user profiles through intrusive data collection in order to make money by serving ads linked to surfers’ browsing history.

More and more mores users have turned to anti-tracking tools to preserve their privacy but the advertising technology (ad tech) industry has responded by turning to CNAME tracking, a stealthier and, the researchers argue, more damaging form of the technology.

Tom Van Goethem, one of the researchers, told The Daily Swig that the technology has a negative impact on the security of publishers’ sites.

“There are several issues there that are intrinsic to CNAME-based tracking: authentication cookies may flow to the tracker (this unnecessarily increases the attack surface),” Van Goethem explained. “Trackers also add code to the website; if this contains security flaws, it also impacts the website itself.”

The potential danger of this is increased by the fact that the tracker runs on a subdomain of the publisher (same-site), Van Goethem added.

Van Goethem explained: “One of the security issues we discovered introduces a cross-site scripting vulnerability in all the websites that use this tracker. Despite several attempts to contact the tracker, the issue has not been mitigated and puts hundreds of websites (and their users) at risk.”

A blog post by Lukasz Olejnik, another researcher involved in the intensive study, carried out over more than a year, highlights another risk:

The use of the CNAME cloaking technique leads to massive cookie leaks. In 95% of cases of websites using this technique, we found cookies leaking to external tracker servers in an unsanctioned manner, invisible to the user.

In some cases, we confirm that the leaked cookies contain private/sensitive data. All these likely trigger the violation of data protection regimes such as the GDPR, or maybe even the CCPA.

CNAME of the game

‘CNAME cloaking’ disguises third-party trackers as first-party trackers as a tactic to bypass interdiction by ad blockers.

The approach relies on assigning a subdomain for data collection and tracking, and linking it to an external server with the CNAME DNS record.

A Canonical Name (CNAME) record maps domain name connections so that multiple services, such as an FTP server and web server running on different ports, can run from a single IP address.

Security decimated

The researchers – Yana Dimova, Gunes Acar, and Wouter Joosen as well as Olejnik and Van Goethem – found that almost one in 10 (9.98%) of the top 10,000 websites were running CNAME tracking to serve ads.

Use of this method is rising (up 21% over the past 22 months), according to Olejnik. At least 13 adtech providers are actively deploying the technique.

“We detect 13 providers of such tracking ‘services’ on 10,474 websites,” Olejnik writes. “This scheme leads to data leaks on 95% of the websites employing it. Such data leaks sometimes involve unambiguously private data.”

The researchers carried out an evaluation of an anti-tracking evasion scheme that leverages CNAME records to include tracker resources in a same-site context, effectively bypassing anti-tracking measures that use fixed, hostname-based block lists.

RECOMMENDED H2C smuggling named top web hacking technique of 2020

To establish whether CNAME-based trackers were used to replace third-party tracking, the team ran an experiment where they compared the number of third-party trackers detected in the six-month period before they included a CNAME-based tracker with the figure for the subsequent six months.

“Surprisingly we found that there was almost no change in the number of third-party trackers per site (on average around 22!),” Van Goethem reports. “Furthermore, there is one tracker that only switches to CNAME-based tracking when they detect the user is visiting the site with Safari (which blocks third-party tracking by default).”

“These findings indicate that CNAME-based tracking is used to gain insights in the visitors that already make use of anti-tracking mechanisms,” he added.

What’s in a CNAME?

Users who wish to block CNAME-based tracking can make use of anti-tracking tools that implemented defences for it.

There are also mechanisms that block it at the DNS level, such as NextDNS, AdGuard, and Pi-hole. Browser-level defences such as uBlock Origin on Firefox, Brave, and Safari may also be an option.

“The Safari defenses against CNAME-based tracking were introduced shortly after we submitted our paper, so we haven't had the chance yet to thoroughly evaluate this specific defense, but we are happy to see that more and more efforts are being made to curb this tracking method that's on the rise.”

Some of those deploying CNAME technique are targeting some specifically targeting surfers that use Apple Safari, the study discovered.

Read more of the latest data privacy news

A paper on the research is due to be presented at the Privacy Enhancing Technologies Symposium (PETS 2021) in July.

The paper introduces a method to detect new CNAME-based trackers that can be used by blocklist maintainers to thwart trackers before they become widespread.

“The blocklist-based anti-tracking mechanisms rely heavily on the coverage of the blocklist (simply put: if a tracker is not added to the blocklist, it remains operational),” Van Goethem said.

“EasyList already added entries in response to our paper,” he added.

RELATED Apple’s Safari browser blocks CNAME cloaking in Big Sur privacy boost

Comments are closed.