Cloak and dagger

ANALYSIS Online advertising companies are making use of a new technique to fool web browsers into thinking they are serving first-party, rather than third-party cookies, circumventing the protections offer by ad blocking software in the process.

The tactic – dubbed ‘CNAME Cloaking’ – represents the latest twist in the ongoing conflict that pits online advertising and analytics firms against ad blocking software firms and browser vendors.

A Canonical Name (CNAME) record in the Domain Name System (DNS) maps one domain name to another. The approach allows multiple services such as an FTP server and a web server, each running on different ports, to be run from a single IP address.

Ad tech firms are asking their clients to delegate a subdomain for data collection and tracking and linking it to an external server using the CNAME DNS record.

The website and the external tracking site appear to originate from the same domain allowing cookies on the tracking site to appear as if they the original domain.

In this way, CNAME Cloaking can be used to disguise a third-party tracker as first-party cookie.

Cross-domain tracking

Online marketing and web analytics firms including Eulerian, AT Internet (formerly XiTi), Keyade, Adobe Marketing Cloud (formerly Omniture), Criteo, and Commanders Act, are actively using CNAME Cloaking, in at least some cases quite openly.

For example, Adobe has an explainer on “Data Collection CNAMEs and Cross-Domain Tracking”. Eulerian also has its own spin on delegated data collection.

The approach has become fashionable since browser makers such as Mozilla bundled tracking protection with their software that blocks third-party cookies and crypto-mining code by default.

The party of the first part…

In a technical blog post, Romain Cointepas, co-founder of NextDNS, offers an email from Criteo asking a website to make a quick change to “adapt to the evolution of browsers” as evidence of how the tracking technique is being promoted by ad tech firms.

According to Cointepas, sites disguising third-party trackers as first-party trackers using this method include foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, and dozens of others.

Paul Vixie, a US computer scientist who played an integral role in developing DNS technology, responded on Twitter: “Will *anything* that can be abused *ever* not be?”

Blindsided

Ad blockers such as AdBlock, Adblock Plus, and uBlock Origin are blindside by the CNAME Cloaking tactic because browser extensions are not allowed access to the DNS layer of web request, so they can’t see the CNAMEs.

“When each website loads third party trackers by calling something like a3ksbl.website.com, privacy-protection tools now have to figure out which subdomain is a front for CNAME Cloaking, for tens of thousands of websites,” Cointepas argues. “That’s a LOT of work.”

“Tools need to include as many rules as there are websites using this CNAME Cloaking method,” he adds.


Read more browser security news from The Daily Swig


Remediation is further complicated because “tools are already reaching the maximum number of rules allowed on each platform (50,000 for Safari, and 30,000 in the soon-to-be-released Google Chrome version with Manifest V3)”, according to Cointepas.

Seemingly in spite of these technical obstacles, uBlock Origin developer Raymond Hill released an update to the ad blocking software that takes advantage of a Firefox DNS resolution API in order to detect and black CNAME shenanigans.

“[uBlock Origin] is now equipped to deal with 3rd-party disguised as 1st-party as far as Firefox's browser.dns allows it,” Hill explains in the release notes for uBlock Origin v1.24.1b0.

“The next step is for me to pick a cogent way for filter list maintainers to be able to tell uBO to uncloak specific hostnames, as doing this by default for all hostnames is not a good idea.”

What’s in a CNAME?

The DNS cloaking technique is bad for privacy because it makes it more straightforward for ad tech firms to track web surfers by fingerprinting properties such as IP address, operating system version, and browser version, rather than relying on cookies.

“There is not a more ideal situation for a third-party tracker that wants to fingerprint you than being able to execute their own script from a subdomain of the website itself, as putting restrictions in place against this would negatively affect the websites themselves,” Cointepas notes.

It’s bad practice for a website to set cookies as accessible to all subdomains (i.e., *.website.com), but many sites disregard this rule. In such cases “cookies are automatically sent to the cloaked third-party tracker”, the researcher warns.

“One of those cookies could be an authentication cookie. Anyone in possession of this cookie can impersonate the user and access private user information.” Cointepas adds.

In his blog post, Cointepas shows how session cookies with liberation.fr are automatically sent to the third-party tracker from Eulerian.

While ad tracking would struggle to deal with the tactic the approach can be detected and blocked at the DNS level.

“At NextDNS we released protections against CNAME Cloaking as soon as this started spreading, and we are continuously monitoring the situation to adapt quickly to methods like this,” Cointepas concludes.


YOU MIGHT ALSO LIKE Fake ad blockers that attempted fraud get blocked