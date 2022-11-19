from the cat-and-mouse dept.
Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much
Developers working on open-source ad-blocker uBlock Origin have uncovered a mechanism for tracking web browsers around the internet that defies today's blocking techniques.
A method to block this so-called unblockable tracker has been developed by the team, though it only works in Firefox, leaving Chrome and possibly other browsers susceptible. This fix is now available to uBlock Origin users.
[...]Here's where it all began: in a GitHub issue earlier this month, a developer who goes by the name Aeris online, said that French newspaper website liberation.fr uses a tracker crafted by French marketing analytics outfit Eulerian "that seems to be unblockable."
What makes it so is that the domain referenced appears to be a first-party page element – associated with the website publisher's domain – rather than a third-party page element – associated with a domain other than the visited website.
[...]In a conversation with The Register, Aeris said Criteo, an ad retargeting biz, appears to have deployed the technique to their customers recently, which suggests it will become more pervasive. Aeris added that DNS delegation clearly violates Europe's GDPR, which "clearly states that 'user-centric tracking' requires consent, especially in the case of a third-party service usage."
[...]"This exploit has been around for a long time, but is particularly useful now because if you can pretend to be a first-party cookie, then you avoid getting blocked by ad blockers, and the major browsers – Chrome, Safari, and Firefox," said Augustine Fou, a cybersecurity and ad fraud researcher who advises companies about online marketing, in an email to The Register.
"This is an exploit, not an 'oopsies,' because it is a hidden and deliberate action to make a third-party cookie appear to be first-party to skirt privacy regulations and consumer choice. This is yet another example of the 'badtech industrial complex' protecting its river of gold."
[...]Using DNS records to make a third-party domain appear to be first-party was documented previously in a 2014 paper by Lukasz Olejnik and Claude Castelluccia, researchers with Inria, a French research institute. The technique is also discussed in a 2010 academic research paper, "Cookie Blocking and Privacy: First Parties Reman a Risk," by German Gomez, Julian Yalaju, Mario Garcia, and Chris Hoofnagle.
Two days ago, uBlock Origin developer Raymond Hill deployed a fix for Firefox users in uBlock Origin v1.24.1b0. Firefox supports an API to resolve the hostname of a DNS record, which can unmask CNAME shenanigans, thereby allowing developers to craft blocking behavior accordingly.
"uBO is now equipped to deal with third-party disguised as first-party as far as Firefox's browser.dns allows it," Hill wrote, adding that he assumes this can't be fixed in Chrome at the moment because Chrome doesn't have an equivalent DNS resolution API.
(Score: 2) by progo on Friday November 22, @06:23AM (2 children)
Correct me if I'm wrong. I'm restating the problem here because the summary doesn't seem to:
A target site with content you want to read (example https://www.liberation.fr/ [liberation.fr] )
… serves a page with an embedded resources on a CNAME on their own domain (example f7ds.liberation.fr),
… which actually resolves to a tracking server's hostname (example liberation.eulerian.net)
… that sets a global-scope tracking cookie for this client.
And the tracking server is from a domain that conducts surveillance.
(Score: 2) by progo on Friday November 22, @06:26AM (1 child)
Sorry. I guess the summary does explain it, but I got lost in all the "first party" and "third party" mumbo jumbo mixed with buzzwords.
(Score: 0) by Anonymous Coward on Friday November 22, @06:32AM
So do your own tracking then send it to 3rd party database and correlate rather than directly tracking by 3rd party which is easy to block..