I’ve noticed a rise in people sharing links to YouTube, Instagram, Twitter, TikTok, and reddit that include tracking parameters in the URL.

It might largely be harmless for now, but it’s not good to let companies build a web of links between users of this site, and to link the usernames of users on this site to their off-site accounts, which may include sensitive info.

SM URL Part Appearance in URL Filtration technique
Youtube Query ?si=* Remove query string
Instagram Query ?igshid=* Remove query string
Twitter Query ?t= Remove query string
Tiktok Subdomain and path (vm/vt).tiktok.com/(random_string) Block
reddit Path /(sub_name)/s/(random_string) Block

This site should only allow canonical links to the content to limit the information exposed.

  • Sushi_Desires [he/him, they/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    11 months ago

    I have a question adjacent to this topic: Is it possible for someone (3rd party) to construct an elaborate tracking link that bounces through a server they themselves control – neither the site the link was posted on nor the destination, that also calls on a cookie or javascript function or something similar in the browser of the person who clicked it, in order to see who clicked it and what their destination was?

    I ask this because back in ~2021 there were a few communist twitter accounts that DM’ed their followers a strange / extremely long URL, apparently after their accounts were hacked. The link redirected to IG where some people said they were logged in to an account that had their real identity associated with it, and it caused a bit of a stir, but I never heard anything more about it. I have always wondered about this since it happened

    • mathemachristian [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      11 months ago

      The URL is meant to be a unique string to identify the location of a resource, it can have quite a bit of extra information encoded that only the server called knows what to do with, so its trivially possible to encode the URL of the resource a user wants to access into a completely different URL. The server at that location decodes the information and redirects the user to the location they are actually looking for.

      This is why URL minifiers like tinyurl.com are considered harmful but much more impactful is googles amp project which is also noticed less.

      I hope I understood you correctly.

      Edit: to expand on the threat scenario you posted, a 3rd party can create a URL that goes to a server they control. Encoded in that string can be identifiers to see where/who a user got the link from and where they should be redirected to. When a user clicks that URL that information plus the standard metadata of a browser request get transmitted to the server. The server then can serve a webpage that reads and/or places cookies, calls some JavaScript function to phone more information about the user home and then redirects the user to the location that was encoded in the URL the user originally clicked.

      See https://www.amiunique.org/ for more information on browser fingerprinting.

      This is more noticeable to the user who might see a blank page for a split second before their browser processes the redirection request. A less noticeable option would be to send a redirection command instead of a webpage, the attacker still gets the browser metadata of the initial request plus any identifiers in the URL and the user might not notice since the only change visible to them is in the address bar of their browser. But the attacker can’t place cookies or read extra information of the browser.

    • JoeByeThen [he/him, they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      11 months ago

      What likely happened was that someone found and took advantage of an instagram exploit that allowed for cross site scripting. In other words, the instagram server allowed for a 3rd party server to steal cookies or something like that from the instagram session. It’s very likely that whatever code was executed (or instagram fixing the exploit) just resulted in the users being redirected to their main account or whatever so it didn’t look like anything out of the ordinary.