Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CNAME cloaking / Forter tracking #926

Open
joepie91 opened this issue Sep 14, 2016 · 8 comments
Open

CNAME cloaking / Forter tracking #926

joepie91 opened this issue Sep 14, 2016 · 8 comments

Comments

@joepie91
Copy link

@joepie91 joepie91 commented Sep 14, 2016

My attention was drawn recently to the existence of Forter, which is a company that fingerprints browsers for "fraud prevention purposes". A sample of their tracking code can be found here.

I haven't looked at it in depth, but from what I've been told, they use Silverlight, Flash, Java, video streams, WebRTC, fake source maps (for detecting DevTools), etc. to build a fingerprint of users.

The problem is that they apparently also support CNAMEs and inlined versions of their code (such as here), which means that mere third-party cookie blocking isn't sufficient to prevent their fingerprinting.

Would it be possible to somehow block this type of fingerprinting using Privacy Badger as well?

@alexristich

This comment has been minimized.

Copy link
Collaborator

@alexristich alexristich commented Sep 14, 2016

Great question. Fingerprint detection + blocking is something that I'm hoping to look at in detail in the coming weeks and months. I really hope the answer is yes, but more research needs to be done here to determine if this is possible, and if so to what extent.

I'll let @cooperq weigh in with any thoughts as well. Plans are in the works though!

@costpermille

This comment has been minimized.

Copy link

@costpermille costpermille commented Sep 14, 2016

Here are a few more heavily packed and obfuscated scripts that attempt to exfiltrate as much info as possible. They include WebGL and some have shown aggresive websocket-based port scanning via discovering your internal IPs over WebRTC.

They're in code blocks because you may be served different content based on your referer header.

- http://cdn.siftscience.com/s.js
- http://dtlilztwypawv.cloudfront.net/s.js
- https://h.online-metrix.net/fp/check.js?org_id=u8fxw6sf&session_id=0
- also attempts to load some applets from https://h.online-metrix.net/fp/fp.swf and others 
- http://cdn.augur.io/augur.min.js

iovation / reputationmanager (also loads DLLs and other extreme nasties if allowed to -- often installed with a rootkit-esque driver from games -- google for "stmocx.dll", intended to track users across devices aggressively and including mobile and desktop)

- https://first.iovation.com/latest/dyn_wdp.js
- https://login.ncsoft.com/resources/script/static_wdp.js 
        (CNAMEd, locally hosted to bypass NoScript, etc)
- https://mpsnare.iesnare.com/script/logo.js
- https://mpsnare.iesnare.com/snare.js
- https://mpsnare.iesnare.com/stmgwb2.swf
@cooperq cooperq added the enhancement label Sep 21, 2016
@cooperq

This comment has been minimized.

Copy link
Contributor

@cooperq cooperq commented Sep 21, 2016

Definitely worth looking into this for sure!

I think that we might have luck detecting the modes of fingerprinting they are using or even trying to fingerprint the fingerprinting scripts maybe based on variables or behavior?

@alexristich this might be a good research project!

@SpeedPing

This comment has been minimized.

Copy link

@SpeedPing SpeedPing commented Sep 27, 2016

As far as I have tested this, it is possible to get iesnare confused by using the -incognito mode. The generated token info is saved into the browser database and into your cookie storage.
The snare.js script is using flash, of course, but it's not possible to load a .dll, without having the environment that would provide such an option. I highly doubt that there is much relevant information it could gather just by using the browser interface functions.

The header signature of the token, generated by snare.js, is 0400 while if you already loaded stmOCX.cab/dll once, it would probably be 0200, in case you didn't delete the flash player local cache file that contains the token.
This 0200 token is simply an hash of the creation time and a random UID. It would only be considered as valid if and only if it was sent with a valid device information structure before.

I have analyzed their ocx library and as a result I'm able to generate fake tokens now, by using their hash and aes crypt function. The token structure consists of a plenty (device) Id's, MAC, .. + the SNPR1 (UID + timestamp hash). I have also created a structure table for this.

Those tokens are generally used to protect online accounts from unauthorized devices and they also allow the owner to get rid of bad devices instead just of the ip.
It would be better to have an browser inbuilt protection against this. Therefore the chrome contributors should be made aware of the fingerprint generators and how they work. (Action script..)

You can find some documentations from iovation about the "fraud protection" in google patents.

@joepie91

This comment has been minimized.

Copy link
Author

@joepie91 joepie91 commented Oct 1, 2016

Another odd tracker: Smartlook - they claim that "We will record everything visitors do on your site. Absolutely for free."

Their endpoint is http://b1.getsmartlook.com/rec/write, apparently.

@cooperq cooperq added this to the Privacy Badger 2.0 milestone Oct 3, 2016
@happyyo

This comment was marked as off-topic.

Copy link

@happyyo happyyo commented Mar 6, 2017

Hey @SpeedPing i would like for u to join my team am working on a tool to bypass the trackers you can email me
thelord8731(the @Sign)gmail.com

@Mikaela

This comment has been minimized.

Copy link

@Mikaela Mikaela commented Nov 24, 2019

I think this CNAME cloaking is currently a growing phenomenon or at least it has been talked a lot more recently within my bubble. For example µBlock saw uBlockOrigin/uBlock-issues#780 and uBlockOrigin/uAssets#6538 and I have seen NextDNS's CNAME Cloaking, the dangerous disguise of third-party trackers from Friday being linked around (while it appears a self-advertisement).

@ghostwords ghostwords changed the title Forter tracking CNAME cloaking / Forter tracking Nov 25, 2019
@Mikaela

This comment has been minimized.

Copy link

@Mikaela Mikaela commented Nov 26, 2019

I just became aware of uBlock Origin for Firefox addresses new first-party tracking method by ghacks.net and judging by it, I think protecting from CNAME cloaking is going to be difficult as it requires changing about:config on Firefox and is incompatible with Chromium due to a missing API unless there is some different way to do it.

I am not a coder though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
8 participants
You can’t perform that action at this time.