A team of Belgian researchers has discovered some new online tracking techniques that can bypass most existing anti-tracking tools by exploiting design and implementation flaws in how browsers manage cookies.
Breaking Cookie Policies
Anti-tracking tools, such as Firefox’s Tracking Protection and certain ad-blockers with such features, typically rely on well-behaving advertisers that follow browsers’ standard cookie policies. However, what happens if some advertisers try to bypass those cookie policies? That’s the question that the Belgian researchers asked themselves too.
As it seems, if trackers can circumvent the standard cookie policies, then they can also evade anti-tracking tools. The group said:
"In our research, we created a framework to verify whether all imposed cookie- and request-policies are correctly applied. Worryingly, we found that most mechanisms could be circumvented: for instance for all ad-blocking and anti-tracking browser extensions we discovered at least one technique that could bypass the policies.”
The researchers tested seven browsers, 31 ad-blockers and 15 anti-tracking extensions. They identified seven techniques that could be used to bypass all of these anti-tracking tools.
These techniques exploit:
- The deprecated but still supported AppCache API, as well as its successor, the ServiceWorker API
- JavaScript used in PDF files
- HTML tags
- Response headers
- Various redirects
- Some JavaScript APIs
Mitigation
The researchers reported all of the flaws to the browser vendors, and most of them should be fixed soon. Some of them, such as the AppCache API, will not be fixed because it’s already deprecated, so it will soon no longer be used.
Other methods, such as tracking through embedded JavaScript code inside PDF files that are opened in Chrome’s PDF viewer, can’t be mitigated, so it will not be fixed. Chrome’s sandboxing doesn’t allow any extension to intercept data from other extensions, which means extensions (including anti-tracking tools) won’t be able to block trackers embedded in PDF files either.
For this research, the Belgium academics won the Distinguished Paper prize and the Internet Defense Prize at the Usenix Security Symposium in Baltimore, Maryland, this week.
