CNAME Cloaking, the dangerous disguise of third-party trackers
How come AdBlock, Adblock Plus, uBlock Origin, Ghostery, Brave and Firefox are letting a third-party tracker from Eulerian, a leading tracking company, execute their script freely on fortuneo.fr, one of the biggest online bank in France?
How come the same thing is happening on thousands of other popular websites worldwide?
What has started to happen in the last few months in the world of third-party tracking is having a major impact on people’s privacy, and it all stayed pretty much under the radar.
For one of those websites, it all started with an email like this one:
This email is from Criteo, a leading tracking company, asking the website to make a quick change (“it takes 2 minutes”) to “adapt to the evolution of browsers” (i.e., work around tracking restrictions), and to be able to track people in a “more optimal way”.
Criteo is requesting the website to add a CNAME for domains like kvejdd.website.com (note the randomness of the subdomain, we will talk about it later) to dnsdelegation.io…
…OR ELSE, “you may lose 11,64% of your sales, 11,53% of your gross turnover and 20,82% of your audience”. Scary stuff.
A suitable name for this method would be CNAME Cloaking, and it is used to disguise a third-party tracker as first-party tracker. In this case, they are also purposely obfuscating this behind a random subdomain, with a CNAME to a generic and unbranded domain.
Some tracking companies, like AT Internet (formerly XiTi), are even going to great lengths to completely distance themselves from the domain used as CNAME destination. Try figuring out which company at-o.net belongs to (hidden WHOIS information and AWS IPs). This is live right now on lemonde.fr, one of the top news websites in the world, and on many other websites.
Why classic privacy-protection tools and restrictions will have a hard time protecting you from this?
The way it used to work is website1.com would load a third-party tracker by calling something that looks like this: https://tracker.trackingcompany.com/j23jsak.js.
Another unrelated website (website2.com) would also be calling something that looks like this: https://tracker.trackingcompany.com/k2j4vs.js.
Privacy-protection tools would then simply need to automatically block any calls made to tracker.trackingcompany.com, and it would automatically protect you from Tracking Company third-party tracking. Done, it’s that easy.
With CNAME Cloaking, many problems arise that makes it realistically impossible to block this:
- Browser extensions are not allowed access to the DNS layer of the request — i.e., they can’t see the CNAMEs. (1)
- When each website loads third party trackers by calling something like a3ksbl.website.com, privacy-protection tools now have to figure out which subdomain is a front for CNAME Cloaking, for tens of thousands of websites. That’s a LOT of work.
- With each website now having its own subdomain cloaking the third-party tracker, those tools need to include as many rules as there are websites using this CNAME Cloaking method. Blocking a third-party tracker went from one rule to thousands.
Here is the problem though: those tools are already reaching the maximum number of rules allowed on each platform (50,000 for Safari, and 30,000 in the soon-to-be-released Google Chrome version with Manifest V3).
- The Criteo representative in the email was not lying, it does take 2 minutes to set this up. It also only takes 2 minutes to change dg3fkn.website.com to 3j4vdl.website.com (Hell, you can probably automate this). We mentioned above how much work it takes to gather all subdomains being used as a front for CNAME Cloaking. Now imagine they change every week, every day, or every hour. It’s just impossible to keep track.
This means that as CNAME Cloaking is being used on more and more websites, more and more people are suddenly being tracked (again).
How bad is it for privacy?
Let’s assume you visited website1.com that includes a third-party tracker from Tracking Company, then website2.com that also includes that tracker. Tracking Company would know that you visited both sites, and each websites would send as much personal information to Tracking Company about who you are (rarely your name or email, but usually everything else they know about you — your age, gender, where you live, etc.), and what you did on the website.
From there, a website could agree to enrich the profiles Tracking Company has on their users by allowing them to combine the data gathered from their website to other websites (either as a mutual exchange, by paying, or both).
Quoting Criteo’s Twitter profile description:
“Criteo is a global tech company that enables brands & retailers to leverage terabytes of collaborative data to connect shoppers to the things they need & love”
Now, add data gathering companies to the pot that have been known to create or buy Facebook games requiring a Facebook Connect, with the sole purpose of enriching Tracking Company’s profiles with even more data.
This is what happened during the 2016 United States presidential election: political campaigns — and foreign state actors, allegedly — were able to target specific types of voters very precisely and adapt their message to those voters accordingly thanks to profiles built by tracking companies.
There are 2 ways to track someone (i.e., being able to uniquely identify someone on different websites, and in time):
Third-party trackers used to be able to set a unique identifier in your browser that they could read at will on the different websites you visit, as long as this third-party tracker was included by the website.
Most browsers now include protections against this (i.e., third party tracker cookies and caches are sandboxed by Origin, and sometimes more), and tracking companies have publicly (or privately) switched to a method called fingerprinting, which is perfectly compatible with CNAME Cloaking.
Fingerprinting is building a unique identifier by combining multiple properties that by themselves are not unique to you, bypassing browser restrictions on cookies, and even being able to track you between devices (what cookies can’t do). Some of these properties are your IP address, your operating system version, your browser version, your computer language, your computer time, the size of your screen, the pixel density of your screen, how fast your computer is, and the list goes on and on.
There is not a more ideal situation for a third-party tracker that wants to fingerprint you than being able to execute their own script from a subdomain of the website itself, as putting restrictions in place against this would negatively affect the websites themselves.
Who is currently doing this?
Below are the 6 tracking companies that are currently using CNAME cloaking:
And here are a few websites with a large audience that are disguising third-party trackers as first-party trackers using this method:
foxnews.com, walmart.com, bbc.co.uk, go.com, webmd.com, washingtonpost.com, weather.com, fnac.com, fortuneo.fr, liberation.fr, lemonde.fr, oui.sncf, rueducommerce.fr, sfr.fr, pmu.fr, laredoute.fr, boulanger.fr, coach.com, gap.com, anntaylor.com, cnn.com, boursorama.com, arstechnica.com, saksfifthavenue.com, brandalley.fr, greenweez.com, habitat.fr, maeva.com, younited-credit.com, mathon.fr, destinia.com, vente-unique.com, nrjmobile.fr, t-mobile.com, statefarm.com, …
A quick look at the non-exhaustive list of domains currently CNAME’ing to dnsdelegation.io (that’s the one from Criteo) shows that this is being applied to quite a few websites already.
Security implications of CNAME Cloaking
While this is considered bad practice for a website to set cookies as accessible to all subdomains (i.e., *.website.com), many do this. In that case, those cookies are automatically sent to the cloaked third-party tracker.
One of those cookies could be an authentication cookie. Anyone in possession of this cookie can impersonate the user and access private user information.
Case in point, liberation.fr:
Can CNAME Cloaking also be used to serve ads?
DNS-level blocking to the rescue
There is good news though. This can easily be detected and blocked at the DNS level, and at NextDNS we released protections against CNAME Cloaking as soon as this started spreading, and we are continuously monitoring the situation to adapt quickly to methods like this.
In the spirit of open discussion and full disclosure, we will automatically copy/paste below any comments made by the mentioned companies to firstname.lastname@example.org.
No comment has been made at this time.
(1) Firefox for desktop does allow extensions to make DNS queries themselves, and extensions like uBlock Origin already apply their blocking rules to intermediary CNAMEs as well. It’s worth noting that unfortunately, Firefox’s current market share is below 5%.