I’ve noticed a rise in people sharing links to YouTube, Instagram, Twitter, TikTok, and reddit that include tracking parameters in the URL.
It might largely be harmless for now, but it’s not good to let companies build a web of links between users of this site, and to link the usernames of users on this site to their off-site accounts, which may include sensitive info.
SM | URL Part | Appearance in URL | Filtration technique |
---|---|---|---|
Youtube | Query | ?si=* | Remove query string |
Query | ?igshid=* | Remove query string | |
Query | ?t= | Remove query string | |
Tiktok | Subdomain and path | (vm/vt).tiktok.com/(random_string) | Block |
Path | /(sub_name)/s/(random_string) | Block |
This site should only allow canonical links to the content to limit the information exposed.
The URL is meant to be a unique string to identify the location of a resource, it can have quite a bit of extra information encoded that only the server called knows what to do with, so its trivially possible to encode the URL of the resource a user wants to access into a completely different URL. The server at that location decodes the information and redirects the user to the location they are actually looking for.
This is why URL minifiers like tinyurl.com are considered harmful but much more impactful is googles amp project which is also noticed less.
I hope I understood you correctly.
Edit: to expand on the threat scenario you posted, a 3rd party can create a URL that goes to a server they control. Encoded in that string can be identifiers to see where/who a user got the link from and where they should be redirected to. When a user clicks that URL that information plus the standard metadata of a browser request get transmitted to the server. The server then can serve a webpage that reads and/or places cookies, calls some JavaScript function to phone more information about the user home and then redirects the user to the location that was encoded in the URL the user originally clicked.
See https://www.amiunique.org/ for more information on browser fingerprinting.
This is more noticeable to the user who might see a blank page for a split second before their browser processes the redirection request. A less noticeable option would be to send a redirection command instead of a webpage, the attacker still gets the browser metadata of the initial request plus any identifiers in the URL and the user might not notice since the only change visible to them is in the address bar of their browser. But the attacker can’t place cookies or read extra information of the browser.
tyvm for the explanation :)