Thursday, April 15, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Privacy

Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique

February 25, 2021
in Internet Privacy
Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy.

Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without users’ knowledge and consent but also “increases [the] web security threat surface,” said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in a new study.

You might also like

New WhatsApp Bugs Could’ve Let Attackers Hack Your Phone Remotely

New JavaScript Exploit Can Now Carry Out DDR4 Rowhammer Attacks

Simplify, then Add Lightness – Consolidating the Technology to Better Defend Ourselves

“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site,” the researchers said in the paper. “As such, defenses that block third-party cookies are rendered ineffective.”

The findings are expected to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021).

Rise of Anti-Tracking Measures

Over the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to curb third-party tracking.

Apple set the ball rolling with a Safari feature called Intelligent Tracking Protection (ITP) in June 2017, setting a new privacy standard on desktop and mobile to reduce cross-site tracking by “further limiting cookies and other website data.” Two years later, the iPhone maker outlined a separate plan dubbed “Privacy Preserving Ad Click Attribution” to make online ads private.

Mozilla then began blocking third-party cookies in Firefox by default as of September 2019 through a feature called Enhanced Tracking Protection (ETP), and in January 2020, Microsoft’s Chromium-based Edge browser followed suit. Subsequently, in late March 2020, Apple updated ITP with full third-party cookie blocking, among other features aimed at thwarting login fingerprinting.

Although Google early last year announced plans to phase out third-party cookies and trackers in Chrome in favor of a new framework called the “privacy sandbox,” it’s not expected to go live until some time in 2022.

In the meantime, the search giant has been actively working with ad tech companies on a proposed replacement called “Dovekey” that looks to supplant the functionality served by cross-site tracking using privacy-centered technologies to serve personalized ads on the web.

CNAME Cloaking as an Anti-Tracking Evasion Scheme

In the face of these cookie-killing barriers to enhance privacy, marketers have begun looking for alternative ways to evade the absolutist stance taken by browser makers against cross-site tracking.

Enter canonical name (CNAME) cloaking, where websites use first-party subdomains as aliases for third-party tracking domains via CNAME records in their DNS configuration in order to circumvent tracker-blockers.

CNAME records in DNS allow for mapping a domain or subdomain to another (i.e., an alias), thus making them an ideal means to smuggle tracking code under the guise of a first-party subdomain.

“This means a site owner can configure one of their subdomains, such as sub.blog.example, to resolve to thirdParty.example, before resolving to an IP address,” WebKit security engineer John Wilander explains. “This happens underneath the web layer and is called CNAME cloaking — the thirdParty.example domain is cloaked as sub.blog.example and thus has the same powers as the true first-party.”

In other words, CNAME cloaking makes tracking code look like it’s first-party when in fact, it is not, with the resource resolving through a CNAME that differs from that of the first party domain.

Not surprisingly, this tracking scheme is rapidly gaining traction, growing by 21% over the past 22 months.

Cookies Leak Sensitive Information to Trackers

The researchers, in their study, found this technique to be used on 9.98% of the top 10,000 websites, in addition to uncovering 13 providers of such tracking “services” on 10,474 websites.

What’s more, the study cites a “targeted treatment of Apple’s web browser Safari” wherein ad tech company Criteo switched specifically to CNAME cloaking to bypass privacy protections in the browser.

http://thehackernews.com/

Given that Apple has already rolled out some lifespan-based defenses for CNAME cloaking, this finding is likely to be more reflective of devices that don’t run iOS 14 and macOS Big Sur, which support the feature.

Perhaps the most troubling of the revelations is that cookie data leaks were found on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking, all of which sent cookies containing private information such as full names, locations, email addresses, and even the authentication cookies to trackers of other domains without the user’s explicit affirmation.

“It is actually ridiculous even, because why would the user consent to a third-party tracker receiving totally unrelated data, including of sensitive and private nature?,” asks Olejnik.

With many CNAME trackers included over HTTP as opposed to HTTPS, the researchers also raise the possibility that a request sending analytics data to the tracker could be intercepted by a malicious adversary in what’s a man-in-the-middle (MitM) attack.

Furthermore, the increased attack surface posed by including a tracker as same-site could expose the data of a website’s visitors to session fixation and cross-site scripting attacks, they caution.

The researchers said they worked with the tracker developers to address the aforementioned issues.

Mitigating CNAME Cloaking

While Firefox doesn’t ban CNAME cloaking out of the box, users can download an add-on like uBlock Origin to block such sneaky first-party trackers. Incidentally, the company yesterday began rolling out Firefox 86 with Total Cookie Protection that prevents cross-site tracking by “confin[ing] all cookies from each website in a separate cookie jar.”

On the other hand, Apple’s iOS 14 and macOS Big Sur come with additional safeguards that build upon its ITP feature to shield third-party CNAME cloaking, although it doesn’t offer a means to unmask the tracker domain and block it right at the outset.

“ITP now detects third-party CNAME cloaking requests and caps the expiry of any cookies set in the HTTP response to seven days,” Wilander detailed in a write-up in November 2020.

So does Brave browser, which last week had to release emergency fixes for a bug that stemmed as a result of adding CNAME-based ad-blocking feature and in the process sent queries for .onion domains to public internet DNS resolvers rather than through Tor nodes.

Chrome (and by extension, other Chromium-based browsers) is the only glaring omission, as it neither blocks CNAME cloaking natively nor makes it easy for third-party extensions to resolve DNS queries by fetching the CNAME records before a request is sent unlike Firefox.

“The emerging CNAME tracking technique […] evades anti-tracking measures,” Olejnik said. “It introduces serious security and privacy issues. User data is leaking, persistently and consistently, without user awareness or consent. This likely triggers GDPR and ePrivacy related clauses.”

“In a way, this is the new low,” he added.


Credit: The Hacker News By: noreply@blogger.com (Ravie Lakshmanan)

Previous Post

Off-chain reporting: Toward a new general purpose secure compute framework by Chainlink

Next Post

Google funds Linux kernel developers to work exclusively on security

Related Posts

New WhatsApp Bugs Could’ve Let Attackers Hack Your Phone Remotely
Internet Privacy

New WhatsApp Bugs Could’ve Let Attackers Hack Your Phone Remotely

April 15, 2021
New JavaScript Exploit Can Now Carry Out DDR4 Rowhammer Attacks
Internet Privacy

New JavaScript Exploit Can Now Carry Out DDR4 Rowhammer Attacks

April 15, 2021
Simplify, then Add Lightness – Consolidating the Technology to Better Defend Ourselves
Internet Privacy

Simplify, then Add Lightness – Consolidating the Technology to Better Defend Ourselves

April 14, 2021
Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits
Internet Privacy

Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

April 14, 2021
RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers
Internet Privacy

RCE Exploit Released for Unpatched Chrome, Opera, and Brave Browsers

April 14, 2021
Next Post
Google funds Linux kernel developers to work exclusively on security

Google funds Linux kernel developers to work exclusively on security

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Why Corporate AI Projects Fail? Part 2/4 | by Sundeep Teki, PhD | Apr, 2021
Neural Networks

Why Corporate AI Projects Fail? Part 2/4 | by Sundeep Teki, PhD | Apr, 2021

April 15, 2021
How to Analyze Influencer Campaign Performance
Marketing Technology

How to Analyze Influencer Campaign Performance

April 15, 2021
Six courses to build your technology skills in 2021 – IBM Developer
Technology Companies

How AI helps Overwatch League process 410M data points to build power rankings – IBM Developer

April 15, 2021
ExpressVPN review: A fine VPN service, but is it worth the price?
Internet Security

ExpressVPN review: A fine VPN service, but is it worth the price?

April 15, 2021
New WhatsApp Bugs Could’ve Let Attackers Hack Your Phone Remotely
Internet Privacy

New WhatsApp Bugs Could’ve Let Attackers Hack Your Phone Remotely

April 15, 2021
AQUA for Amazon Redshift goes GA
Big Data

AQUA for Amazon Redshift goes GA

April 15, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Why Corporate AI Projects Fail? Part 2/4 | by Sundeep Teki, PhD | Apr, 2021 April 15, 2021
  • How to Analyze Influencer Campaign Performance April 15, 2021
  • How AI helps Overwatch League process 410M data points to build power rankings – IBM Developer April 15, 2021
  • ExpressVPN review: A fine VPN service, but is it worth the price? April 15, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates