Security News > 2021 > February > What's CNAME of your game? This DNS-based tracking defies your browser privacy defenses

Boffins based in Belgium have found that a DNS-based technique for bypassing defenses against online tracking has become increasingly common and represents a growing threat to both privacy and security.

In a research paper to be presented in July at the 21st Privacy Enhancing Technologies Symposium, KU Leuven-affiliated researchers Yana Dimova, Gunes Acar, Wouter Joosen, and Tom Van Goethem, and privacy consultant Lukasz Olejnik, delve into increasing adoption of CNAME-based tracking, which abuses DNS records to erase the distinction between first-party and third-party contexts.

While online publishers have been happy to allow advertisers to run third-party tracking code on their websites to collect data and follow people as they visit different websites, internet users and privacy-focused web browsers have ramped up privacy defenses over the past few years to limit the application of web-based tracking.

A different CNAME tracking vendor was found to provide a way to link a user's email to the user's browser fingerprint - a hash based on various measurable browser characteristics.

The researchers report that ad tech biz Criteo switches specifically to CNAME tracking - putting its cookies into a first-party context - when its trackers encountered users of Safari, which has strong third-party cookie defenses.

According to Olejnik, CNAME tracking can defeat most anti-tracking techniques and there are few defenses against it.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/02/24/dns_cname_tracking/