These Tracking Tricks Can Bypass Your Anti-Tracking Tools

Firefox for iOS with Tracking Protection Credit: MozillaFirefox for iOS with Tracking Protection Credit: Mozilla

A team of Belgian researchers has discovered some new online tracking techniques that can bypass most existing anti-tracking tools by exploiting design and implementation flaws in how browsers manage cookies.

Breaking Cookie Policies

Anti-tracking tools, such as Firefox’s Tracking Protection and certain ad-blockers with such features, typically rely on well-behaving advertisers that follow browsers’ standard cookie policies. However, what happens if some advertisers try to bypass those cookie policies? That’s the question that the Belgian researchers asked themselves too.

As it seems, if trackers can circumvent the standard cookie policies, then they can also evade anti-tracking tools. The group said:

"In our research, we created a framework to verify whether all imposed cookie- and request-policies are correctly applied. Worryingly, we found that most mechanisms could be circumvented: for instance for all ad-blocking and anti-tracking browser extensions we discovered at least one technique that could bypass the policies.”

The researchers tested seven browsers, 31 ad-blockers and 15 anti-tracking extensions. They identified seven techniques that could be used to bypass all of these anti-tracking tools.

These techniques exploit:

  • The deprecated but still supported AppCache API, as well as its successor, the ServiceWorker API
  • JavaScript used in PDF files
  • HTML tags
  • Response headers
  • Various redirects
  • Some JavaScript APIs

Mitigation

The researchers reported all of the flaws to the browser vendors, and most of them should be fixed soon. Some of them, such as the AppCache API, will not be fixed because it’s already deprecated, so it will soon no longer be used.

Other methods, such as tracking through embedded JavaScript code inside PDF files that are opened in Chrome’s PDF viewer, can’t be mitigated, so it will not be fixed. Chrome’s sandboxing doesn’t allow any extension to intercept data from other extensions, which means extensions (including anti-tracking tools) won’t be able to block trackers embedded in PDF files either.

For this research, the Belgium academics won the Distinguished Paper prize and the Internet Defense Prize at the Usenix Security Symposium in Baltimore, Maryland, this week.

Create a new thread in the News comments forum about this subject
This thread is closed for comments
3 comments
Comment from the forums
    Your comment
  • bit_user
    Anonymous said:
    methods, such as tracking through embedded JavaScript code inside PDF files that are opened in Chrome’s PDF viewer

    OMG! Why on Earth does PDF need embedded Javascript?

    Is there any way to simply disable that? I'm really not interested in reading any PDF files which are broken by this.

    Or, what about allowing it, but blocking all network requests by said JS?
  • engineer5261
    Slow day huh?
  • DavidGurney
    In other news: Trump is still a POS.