With browser makers steadily clamping down on third-party tracking, advertising technology companies are increasingly embracing a DNS technique to evade such defenses, thereby posing a threat to web security and privacy.
Called CNAME Cloaking, the practice of blurring the distinction between first-party and third-party cookies not only results in leaking sensitive private information without users’ knowledge and consent but also “increases [the] web security threat surface,” said a group of researchers Yana Dimova, Gunes Acar, Lukasz Olejnik, Wouter Joosen, and Tom Van Goethem in a new study.
“This tracking scheme takes advantage of a CNAME record on a subdomain such that it is same-site to the including web site,” the researchers said in the paper. “As such, defenses that block third-party cookies are rendered ineffective.”
The findings are expected to be presented in July at the 21st Privacy Enhancing Technologies Symposium (PETS 2021).
Rise of Anti-Tracking Measures
Over the past four years, all major browsers, with the notable exception of Google Chrome, have included countermeasures to curb third-party tracking.
Apple set the ball rolling with a Safari feature called…