CNAME cloaking / Forter tracking

[joepie91]

My attention was drawn recently to the existence of Forter, which is a company that fingerprints browsers for "fraud prevention purposes". A sample of their tracking code can be found here.

I haven't looked at it in depth, but from what I've been told, they use Silverlight, Flash, Java, video streams, WebRTC, fake source maps (for detecting DevTools), etc. to build a fingerprint of users.

The problem is that they apparently also support CNAMEs and inlined versions of their code (such as here), which means that mere third-party cookie blocking isn't sufficient to prevent their fingerprinting.

Would it be possible to somehow block this type of fingerprinting using Privacy Badger as well?

[alexristich]

Great question. Fingerprint detection + blocking is something that I'm hoping to look at in detail in the coming weeks and months. I really hope the answer is yes, but more research needs to be done here to determine if this is possible, and if so to what extent.

I'll let @cooperq weigh in with any thoughts as well. Plans are in the works though!

[ghost]

Here are a few more heavily packed and obfuscated scripts that attempt to exfiltrate as much info as possible. They include WebGL and some have shown aggresive websocket-based port scanning via discovering your internal IPs over WebRTC.

They're in code blocks because you may be served different content based on your referer header.

- http://cdn.siftscience.com/s.js
- http://dtlilztwypawv.cloudfront.net/s.js

- https://h.online-metrix.net/fp/check.js?org_id=u8fxw6sf&session_id=0
- also attempts to load some applets from https://h.online-metrix.net/fp/fp.swf and others 

- http://cdn.augur.io/augur.min.js

iovation / reputationmanager (also loads DLLs and other extreme nasties if allowed to -- often installed with a rootkit-esque driver from games -- google for "stmocx.dll", intended to track users across devices aggressively and including mobile and desktop)

- https://first.iovation.com/latest/dyn_wdp.js
- https://login.ncsoft.com/resources/script/static_wdp.js 
        (CNAMEd, locally hosted to bypass NoScript, etc)
- https://mpsnare.iesnare.com/script/logo.js
- https://mpsnare.iesnare.com/snare.js
- https://mpsnare.iesnare.com/stmgwb2.swf

[cooperq]

Definitely worth looking into this for sure!

I think that we might have luck detecting the modes of fingerprinting they are using or even trying to fingerprint the fingerprinting scripts maybe based on variables or behavior?

@alexristich this might be a good research project!

[Smoothstep]

As far as I have tested this, it is possible to get iesnare confused by using the -incognito mode. The generated token info is saved into the browser database and into your cookie storage.
The snare.js script is using flash, of course, but it's not possible to load a .dll, without having the environment that would provide such an option. I highly doubt that there is much relevant information it could gather just by using the browser interface functions.

The header signature of the token, generated by snare.js, is 0400 while if you already loaded stmOCX.cab/dll once, it would probably be 0200, in case you didn't delete the flash player local cache file that contains the token.
This 0200 token is simply an hash of the creation time and a random UID. It would only be considered as valid if and only if it was sent with a valid device information structure before.

I have analyzed their ocx library and as a result I'm able to generate fake tokens now, by using their hash and aes crypt function. The token structure consists of a plenty (device) Id's, MAC, .. + the SNPR1 (UID + timestamp hash). I have also created a structure table for this.

Those tokens are generally used to protect online accounts from unauthorized devices and they also allow the owner to get rid of bad devices instead just of the ip.
It would be better to have an browser inbuilt protection against this. Therefore the chrome contributors should be made aware of the fingerprint generators and how they work. (Action script..)

You can find some documentations from iovation about the "fraud protection" in google patents.

[joepie91]

Another odd tracker: Smartlook - they claim that "We will record everything visitors do on your site. Absolutely for free."

Their endpoint is http://b1.getsmartlook.com/rec/write, apparently.

[Mikaela]

I think this CNAME cloaking is currently a growing phenomenon or at least it has been talked a lot more recently within my bubble. For example µBlock saw uBlockOrigin/uBlock-issues#780 and uBlockOrigin/uAssets#6538 and I have seen NextDNS's CNAME Cloaking, the dangerous disguise of third-party trackers from Friday being linked around (while it appears a self-advertisement).

[Mikaela]

I just became aware of uBlock Origin for Firefox addresses new first-party tracking method by ghacks.net and judging by it, I think protecting from CNAME cloaking is going to be difficult as it requires changing about:config on Firefox and is incompatible with Chromium due to a missing API unless there is some different way to do it.

I am not a coder though.

[Atavic]

A different way is to block it before it reaches the browser, something like pi-hole.

[ghostwords]

Privacy Badger might be able to leverage the list of CNAME-cloaked tracker domains published by AdGuard to defeat CNAME cloaking in all browsers (Chrome does not yet support CNAME uncloaking directly by extensions).

[sillyjaybird]

Does Privacy Badger current version block CNAME trackers in Firefox? I see this b6f032c, which is the reason for my question.

[ghostwords]

We use CNAME mapping lists from AdGuard to "uncloak" CNAME trackers in all browsers as of Privacy Badger version 2021.6.8.