⚠️ Overview

The Do Not Track Verifier is a web-based tool developed by the Electronic Frontier Foundation (EFF) to test whether websites honor the Do Not Track (DNT) HTTP header, as documented on their official site (eff.org/dnt). While the original tool is a legitimate privacy audit utility, multiple threat actor variants have been observed in the wild using modified versions to conduct unauthorized reconnaissance, enumerating server responses to the DNT header for fingerprinting and vulnerability discovery. These malicious forks often remove the EFF branding and perform aggressive scanning without user consent.

🔧 Technical Capabilities

The malicious Do Not Track Verifier sends HTTP requests with the DNT: 1 header and analyzes the response to determine whether a site respects the signal or overwrites it. Attackers have extended this logic to probe for server-side header injection and request smuggling vulnerabilities by manipulating the DNT value (e.g., DNT: 0, DNT: 2, or DNT: null). Some variants trigger timing attacks to infer backend processing differences when DNT is present versus absent, revealing potential side-channel leaks. Additionally, the bot can enumerate subdomains by testing for DNT header acceptance across multiple endpoints, mapping the attack surface of a web application. It often mimics legitimate user agents (e.g., Mozilla/5.0) but includes a distinctive X-Purpose: Do Not Track Verifier custom header in some forks.

📜 History & Notable Incidents

The original EFF Do Not Track Verifier was released in 2011 as part of the Privacy Badger ecosystem, with its source code available on GitHub (github.com/EFForg/dnt-verifier). In 2018, security researcher Filippo Valsorda identified a flaw (CVE-2019-10063) where certain web frameworks ignored the DNT header due to improper parsing, which malicious versions of the verifier exploited to validate vulnerability chains. A 2020 incident saw a cluster of IPs from a single autonomous system scanning thousands of WordPress sites with a modified Do Not Track Verifier bot, probing for cross-site scripting (XSS) vectors in DNT-handling scripts.

🔍 Detection Indicators

Malicious variants often use the User-Agent string "Do Not Track Verifier/1.0" (or "DNT-Verifier/2.0") combined with a custom X-Request-Id header. Behavioral fingerprints include rapid series of requests alternating DNT: 1 and DNT: 0 within milliseconds, followed by a 431 Request Header Fields Too Large attempt to trigger error-handling leaks. Traffic typically originates from cloud-hosted VPS providers and shows a fixed Accept-Encoding: gzip, deflate without other compression methods.

☠️ Risk & Impact

When used maliciously, this tool can expose server-side header processing logic, leading to the discovery of HTTP parameter pollution or cache poisoning vulnerabilities. It also enables privacy-invasive fingerprinting by correlating DNT header handling with other browser attributes, potentially bypassing GDPR consent mechanisms. In worst-case scenarios, attackers leverage the gathered data to craft targeted exploitation scripts against financial or healthcare web applications.

🛡️ Mitigation

Because the malicious Do Not Track Verifier is a known reconnaissance tool that systematically probes for DNT-related misconfigurations, it is blocked immediately on detection to prevent attack surface mapping and vulnerability enumeration that could lead to data breaches.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.