• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Home
  • About Us
  • Contact Us

iHash

News and How to's

  • Apple iPad 2 16GB – Space Gray (Refurbished: Wi-Fi Only) for $156

    Apple iPad 2 16GB – Space Gray (Refurbished: Wi-Fi Only) for $156
  • BasketPong Giant Yard Pong Basketball Game for $150

    BasketPong Giant Yard Pong Basketball Game for $150
  • Night Eye Pro: Lifetime Subscription for $19

    Night Eye Pro: Lifetime Subscription for $19
  • The Essential At Home Baking Masterclass Bundle for $19

    The Essential At Home Baking Masterclass Bundle for $19
  • The Microsoft Azure Fundamentals, Administration & Security Certification Bundle for $49

    The Microsoft Azure Fundamentals, Administration & Security Certification Bundle for $49
  • News
    • Rumor
    • Design
    • Concept
    • WWDC
    • Security
    • BigData
  • Apps
    • Free Apps
    • OS X
    • iOS
    • iTunes
      • Music
      • Movie
      • Books
  • How to
    • OS X
      • OS X Mavericks
      • OS X Yosemite
      • Where Download OS X 10.9 Mavericks
    • iOS
      • iOS 7
      • iOS 8
      • iPhone Firmware
      • iPad Firmware
      • iPod touch
      • AppleTV Firmware
      • Where Download iOS 7 Beta
      • Jailbreak News
      • iOS 8 Beta/GM Download Links (mega links) and How to Upgrade
      • iPhone Recovery Mode
      • iPhone DFU Mode
      • How to Upgrade iOS 6 to iOS 7
      • How To Downgrade From iOS 7 Beta to iOS 6
    • Other
      • Disable Apple Remote Control
      • Pair Apple Remote Control
      • Unpair Apple Remote Control
  • Special Offers
  • Contact us

Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique

Feb 27, 2021 by iHash Leave a Comment

With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy.

Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without users’ knowledge and consent but also “increases [the] web security threat surface,” said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in a new study.

“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site,” the researchers said in the paper. “As such, defenses that block third-party cookies are rendered ineffective.”

The findings are expected to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021).

Rise of Anti-Tracking Measures

Over the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to curb third-party tracking.

Apple set the ball rolling with a Safari feature called Intelligent Tracking Protection (ITP) in June 2017, setting a new privacy standard on desktop and mobile to reduce cross-site tracking by “further limiting cookies and other website data.” Two years later, the iPhone maker outlined a separate plan dubbed “Privacy Preserving Ad Click Attribution” to make online ads private.

Mozilla then began blocking third-party cookies in Firefox by default as of September 2019 through a feature called Enhanced Tracking Protection (ETP), and in January 2020, Microsoft’s Chromium-based Edge browser followed suit. Subsequently, in late March 2020, Apple updated ITP with full third-party cookie blocking, among other features aimed at thwarting login fingerprinting.

Although Google early last year announced plans to phase out third-party cookies and trackers in Chrome in favor of a new framework called the “privacy sandbox,” it’s not expected to go live until some time in 2022.

In the meantime, the search giant has been actively working with ad tech companies on a proposed replacement called “Dovekey” that looks to supplant the functionality served by cross-site tracking using privacy-centered technologies to serve personalized ads on the web.

CNAME Cloaking as an Anti-Tracking Evasion Scheme

In the face of these cookie-killing barriers to enhance privacy, marketers have begun looking for alternative ways to evade the absolutist stance taken by browser makers against cross-site tracking.

Enter canonical name (CNAME) cloaking, where websites use first-party subdomains as aliases for third-party tracking domains via CNAME records in their DNS configuration in order to circumvent tracker-blockers.

CNAME records in DNS allow for mapping a domain or subdomain to another (i.e., an alias), thus making them an ideal means to smuggle tracking code under the guise of a first-party subdomain.

“This means a site owner can configure one of their subdomains, such as sub.blog.example, to resolve to thirdParty.example, before resolving to an IP address,” WebKit security engineer John Wilander explains. “This happens underneath the web layer and is called CNAME cloaking — the thirdParty.example domain is cloaked as sub.blog.example and thus has the same powers as the true first-party.”

In other words, CNAME cloaking makes tracking code look like it’s first-party when in fact, it is not, with the resource resolving through a CNAME that differs from that of the first party domain.

Not surprisingly, this tracking scheme is rapidly gaining traction, growing by 21% over the past 22 months.

Cookies Leak Sensitive Information to Trackers

The researchers, in their study, found this technique to be used on 9.98% of the top 10,000 websites, in addition to uncovering 13 providers of such tracking “services” on 10,474 websites.

What’s more, the study cites a “targeted treatment of Apple’s web browser Safari” wherein ad tech company Criteo switched specifically to CNAME cloaking to bypass privacy protections in the browser.

Given that Apple has already rolled out some lifespan-based defenses for CNAME cloaking, this finding is likely to be more reflective of devices that don’t run iOS 14 and macOS Big Sur, which support the feature.

Perhaps the most troubling of the revelations is that cookie data leaks were found on 7,377 sites (95%) out of the 7,797 sites that used CNAME tracking, all of which sent cookies containing private information such as full names, locations, email addresses, and even authentication cookies to trackers of other domains without the user’s explicit affirmation.

“It is actually ridiculous even, because why would the user consent to a third-party tracker receiving totally unrelated data, including of sensitive and private nature?,” asks Olejnik.

With many CNAME trackers included over HTTP as opposed to HTTPS, the researchers also raise the possibility that a request sending analytics data to the tracker could be intercepted by a malicious adversary in what’s a man-in-the-middle (MitM) attack.

Furthermore, the increased attack surface posed by including a tracker as same-site could expose the data of a website’s visitors to session fixation and cross-site scripting attacks, they caution.

The researchers said they worked with the tracker developers to address the aforementioned issues.

Mitigating CNAME Cloaking

While Firefox doesn’t ban CNAME cloaking out of the box, users can download an add-on like uBlock Origin to block such sneaky first-party trackers. Incidentally, the company yesterday began rolling out Firefox 86 with Total Cookie Protection that prevents cross-site tracking by “confin[ing] all cookies from each website in a separate cookie jar.”

On the other hand, Apple’s iOS 14 and macOS Big Sur come with additional safeguards that build upon its ITP feature to shield third-party CNAME cloaking, although it doesn’t offer a means to unmask the tracker domain and block it right at the outset.

“ITP now detects third-party CNAME cloaking requests and caps the expiry of any cookies set in the HTTP response to seven days,” Wilander detailed in a write-up in November 2020.

So does Brave browser, which last week had to release emergency fixes for a bug that stemmed as a result of adding CNAME-based ad-blocking feature and in the process sent queries for .onion domains to public internet DNS resolvers rather than through Tor nodes.

Chrome (and by extension, other Chromium-based browsers) is the only glaring omission, as it neither blocks CNAME cloaking natively nor makes it easy for third-party extensions to resolve DNS queries by fetching the CNAME records before a request is sent unlike Firefox.

“The emerging CNAME tracking technique […] evades anti-tracking measures,” Olejnik said. “It introduces serious security and privacy issues. User data is leaking, persistently and consistently, without user awareness or consent. This likely triggers GDPR and ePrivacy related clauses.”

“In a way, this is the new low,” he added.

Source link

Share this:

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn

Filed Under: Security Tagged With: Cloaking, CNAME, computer security, cyber attacks, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, data breach, hacker news, hacking news, how to hack, Increasingly, information security, Invasive, network security, Online, ransomware malware, software vulnerability, Switching, technique, the hacker news, Trackers

Special Offers

  • Apple iPad 2 16GB – Space Gray (Refurbished: Wi-Fi Only) for $156

    Apple iPad 2 16GB – Space Gray (Refurbished: Wi-Fi Only) for $156
  • BasketPong Giant Yard Pong Basketball Game for $150

    BasketPong Giant Yard Pong Basketball Game for $150
  • Night Eye Pro: Lifetime Subscription for $19

    Night Eye Pro: Lifetime Subscription for $19
  • The Essential At Home Baking Masterclass Bundle for $19

    The Essential At Home Baking Masterclass Bundle for $19
  • The Microsoft Azure Fundamentals, Administration & Security Certification Bundle for $49

    The Microsoft Azure Fundamentals, Administration & Security Certification Bundle for $49

Reader Interactions

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

E-mail Newsletter

  • Facebook
  • GitHub
  • Instagram
  • Pinterest
  • Twitter
  • YouTube

More to See

Universal Access to Big Data is Here

May 21, 2022 By iHash

Researchers Find Backdoor in School Management Plugin for WordPress

May 21, 2022 By iHash

Tags

* Apple Cisco computer security cyber attacks cyber crime cyber news Cyber Security cybersecurity cyber security news cyber security news today cyber security updates cyber threats cyber updates data breach data breaches google hacker hacker news Hackers hacking hacking news how to hack incident response information security iOS iOS 7 iOS 8 iPhone iPhone 6 Malware microsoft network security Privacy ransomware malware risk management security security breaches security vulnerabilities software vulnerability the hacker news Threat update video web applications

Latest

Apple iPad 2 16GB – Space Gray (Refurbished: Wi-Fi Only) for $156

Expires May 17, 2122 23:59 PST Buy now and get 9% off KEY FEATURES Thinner and lighter than its predecessor, the Apple iPad 2 makes working, browsing, and gaming on the go even easier. This refurbished iPad 2 comes with a dual-core A5 chip to help you breeze through your to-dos while lasting for up […]

BasketPong Giant Yard Pong Basketball Game for $150

Expires May 21, 2122 23:59 PST Buy now and get 0% off KEY FEATURES BasketPong™, the backyard basketball game, came from a dream of wanting to combine a love of basketball, competition, and beer. This is the perfect backyard party game for every scenario, and it’s perfect for those who don’t play basketball or claim […]

How to deploy NLP: Text Embeddings and Vector Search

How to deploy NLP: Text Embeddings and Vector Search

How to deploy NLP: Text Embeddings and Vector Search English简体中文한국어日本語FrançaisDeutschEspañolPortuguês As part of our natural language processing (NLP) blog series, we will walk through an example of using a text embedding model to generate vector representations of textual contents and demonstrating vector similarity search on generated vectors. We will deploy a publicly available model on […]

The Microsoft Azure Fundamentals, Administration & Security Certification Bundle for $49

Expires May 01, 2122 23:59 PST Buy now and get 95% off Microsoft Azure Fundamentals (AZ-900) Table of Contents KEY FEATURESPRODUCT SPECSTHE EXPERTKEY FEATURESPRODUCT SPECSTHE EXPERTKEY FEATURESPRODUCT SPECSTHE EXPERTKEY FEATURESPRODUCT SPECSTHE EXPERT KEY FEATURES This course will help you prepare for the Exam AZ-900: Microsoft Azure Fundamentals. It’s designed for candidates looking to demonstrate foundational-level […]

Apple Ipad Air 2 128GB – Gold (Refurbished: Wi-Fi + Cellular) for $481

Expires May 16, 2122 23:59 PST Buy now and get 9% off KEY FEATURES This refurbished iPad Air is the perfect balance of power, design, and value. It has a gorgeous 9.7-inch Retina display, yet it’s 6.1mm thin and weighs just 0.96 pounds! So, it’s not just incredibly portable, it’s also fast and responsive, with […]

“Above the Trend Line” – Your Industry Rumor Central for 5/20/2022

Above the Trend Line: your industry rumor central is a recurring feature of insideBIGDATA. In this column, we present a variety of short time-critical news items grouped by category such as M&A activity, people movements, funding news, industry partnerships, customer wins, rumors and general scuttlebutt floating around the big data, data science and machine learning […]

Jailbreak

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

  Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate.   Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

  Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

Copyright iHash.eu © 2022
We use cookies on this website. By using this site, you agree that we may store and access cookies on your device. Accept Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT