During our studies of Real-Time Bidding, we encountered an interesting case. As the aforementioned linked description states, RTB works as follows: (1) user visits a publisher's site (2) Ad Exchange sends bid requests to its bidders, for this ad impression (3) bidders send their bids (4) the winner serves an ad.
There is a number of Ad Exchanges providing RTB auctions, for example Doubleclick (doubleclick.net) and App Nexus (adnxs.com). The very fact of serving an ad usually requires sending of an ad snippet. For example, the winner's ad snippet could be supplied by a *doubleclick.net hostname. But in the case of one Ad Exchange, we discovered that a process "as if" site such as example.com serves its ads to itself.
However, this is not the case and it works as follows. A publisher's site such as example.com provides a DNS alias ox-d.example.com. The server pointed to by this alias is operated by OpenX, the Ad Exchange. This means that whenever connecting to example.com, a request to ox-d.example.com is made. There is nothing unusual in this per se. However, it is important to realize that browser cookies broadly scoped for .example.com are included in a request to the external 3rd-party site, here operated by OpenX.
We verified that cookies are transferred and in fact, even if Firefox is configured to block 3rd-party cookies this also takes place (an obvious consequence of how 3rd-party cookie blocking in Firefox, and the Web, work). Another result is that Ghostery extension is not preventing this request. For example, the per-Web site issued Google Analytics might be appended to this request, as Google Analytic's cookies are usually set with a broad scope and thus are consequently also send during a request to ox-d.example.com. An interesting side effect is that the controller of this scheme (OpenX in this case) is in a position to recognize revisiting users using cookies of other entities.
The full report is made available under this link.
We leave it to the community's consideration.
The results will be presented at HotPETS 2014.Tweet