-
-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNAME cloaking / Forter tracking #926
Comments
Great question. Fingerprint detection + blocking is something that I'm hoping to look at in detail in the coming weeks and months. I really hope the answer is yes, but more research needs to be done here to determine if this is possible, and if so to what extent. I'll let @cooperq weigh in with any thoughts as well. Plans are in the works though! |
Here are a few more heavily packed and obfuscated scripts that attempt to exfiltrate as much info as possible. They include WebGL and some have shown aggresive websocket-based port scanning via discovering your internal IPs over WebRTC. They're in code blocks because you may be served different content based on your referer header.
iovation / reputationmanager (also loads DLLs and other extreme nasties if allowed to -- often installed with a rootkit-esque driver from games -- google for "stmocx.dll", intended to track users across devices aggressively and including mobile and desktop)
|
Definitely worth looking into this for sure! I think that we might have luck detecting the modes of fingerprinting they are using or even trying to fingerprint the fingerprinting scripts maybe based on variables or behavior? @alexristich this might be a good research project! |
As far as I have tested this, it is possible to get iesnare confused by using the -incognito mode. The generated token info is saved into the browser database and into your cookie storage. The header signature of the token, generated by snare.js, is 0400 while if you already loaded stmOCX.cab/dll once, it would probably be 0200, in case you didn't delete the flash player local cache file that contains the token. I have analyzed their ocx library and as a result I'm able to generate fake tokens now, by using their hash and aes crypt function. The token structure consists of a plenty (device) Id's, MAC, .. + the SNPR1 (UID + timestamp hash). I have also created a structure table for this. Those tokens are generally used to protect online accounts from unauthorized devices and they also allow the owner to get rid of bad devices instead just of the ip. You can find some documentations from iovation about the "fraud protection" in google patents. |
Another odd tracker: Smartlook - they claim that "We will record everything visitors do on your site. Absolutely for free." Their endpoint is http://b1.getsmartlook.com/rec/write, apparently. |
This comment has been minimized.
This comment has been minimized.
I think this CNAME cloaking is currently a growing phenomenon or at least it has been talked a lot more recently within my bubble. For example µBlock saw uBlockOrigin/uBlock-issues#780 and uBlockOrigin/uAssets#6538 and I have seen NextDNS's CNAME Cloaking, the dangerous disguise of third-party trackers from Friday being linked around (while it appears a self-advertisement). |
I just became aware of uBlock Origin for Firefox addresses new first-party tracking method by ghacks.net and judging by it, I think protecting from CNAME cloaking is going to be difficult as it requires changing I am not a coder though. |
A different way is to block it before it reaches the browser, something like pi-hole. |
Privacy Badger might be able to leverage the list of CNAME-cloaked tracker domains published by AdGuard to defeat CNAME cloaking in all browsers (Chrome does not yet support CNAME uncloaking directly by extensions). |
Does Privacy Badger current version block CNAME trackers in Firefox? I see this b6f032c, which is the reason for my question. |
We use CNAME mapping lists from AdGuard to "uncloak" CNAME trackers in all browsers as of Privacy Badger version 2021.6.8. |
My attention was drawn recently to the existence of Forter, which is a company that fingerprints browsers for "fraud prevention purposes". A sample of their tracking code can be found here.
I haven't looked at it in depth, but from what I've been told, they use Silverlight, Flash, Java, video streams, WebRTC, fake source maps (for detecting DevTools), etc. to build a fingerprint of users.
The problem is that they apparently also support CNAMEs and inlined versions of their code (such as here), which means that mere third-party cookie blocking isn't sufficient to prevent their fingerprinting.
Would it be possible to somehow block this type of fingerprinting using Privacy Badger as well?
The text was updated successfully, but these errors were encountered: