I’ve noticed a rise in people sharing links to YouTube, Instagram, Twitter, TikTok, and reddit that include tracking parameters in the URL.
It might largely be harmless for now, but it’s not good to let companies build a web of links between users of this site, and to link the usernames of users on this site to their off-site accounts, which may include sensitive info.
| SM | URL Part | Appearance in URL | Filtration technique |
|---|---|---|---|
| Youtube | Query | ?si=* | Remove query string |
| Query | ?igshid=* | Remove query string | |
| Query | ?t= | Remove query string | |
| Tiktok | Subdomain and path | (vm/vt).tiktok.com/(random_string) | Block |
| Path | /(sub_name)/s/(random_string) | Block |
This site should only allow canonical links to the content to limit the information exposed.
yup. tiktok keeps recommending me to add a user here as a friend because I clicked through from a tracking link on hexbear months ago now.
Yeah I’ve followed half a dozen people from here. Y’all repost good shit.
the word “hextok” enters my mind unbidden… who knows what forces we have unleashed
:oh-shit:
Yeah… As much as I wish it were not a problem for this site to solve, much like nitter/invidious/etc. links were better solved by a browser extension, It’s such a dangerous practice to allow this for a place that values opsec, that I really think we should get to work on it. Maybe upstream lemmy would accept it as well, we certainly aren’t the only privacy focused instance out there.
Another one I’d add:
SM URL Part Appearance in URL Filtration technique StackExchange Path /<answer_id>/<referrer_id> Remove final path element Yeah, maybe it’s better to take it to dessalines instead of keeping it on hb
StackExchange
Good call especially since we know the FBI used data from them in one high-profile sting already lol
I am very much in favor of getting as many of these as convenient off Hexbear. I made a smaller thread about I think the twitter ones a long time ago and it didn’t go anywhere at the time.
Don’t forget the general purpose UTM ones:
utm_content=site-enterprise-button&utm_source=organic&utm_medium=website&utm_campaign=nullThese are used across the net, various sites document what they are, like this one: https://mailchimp.com/resources/utm-links/
The ClearURLs extension is a great for this as it automatically removes the tracking bit from major sites. It doesn’t detect everything though so still good to be wary
Tiktok links can be scrubbed of their tracking by resolving them one time, letting the 9-character random alphanumeric unique string be resolved out in a web browser upon visit to a 19-character numeric only video identifier plus separated tracking parameters, and then cleaning up the GET parameters that come out when you resolve it. See this post I made a while ago https://hexbear.net/post/216322?scrollToComments=false
Really good point, but in my opinion this should be left to the person doing the posting. If Hexbear implements this link resolution on the server, it could potentially be used to link the user to Hexbear itself. Again, very paranoid, but I think it’s more pragmatic to just block. Alternatively, proxitok can be used to resolve the deobfuscated URL, thereby the user isn’t linked back to Hexbear, but this is significantly more complicated and leaves Hexbear dependent on a third-party service.
yeah it’s probably best if we prevent submission of such links with a pointer to instructions on how to deobfuscate the url.
I have a question adjacent to this topic: Is it possible for someone (3rd party) to construct an elaborate tracking link that bounces through a server they themselves control – neither the site the link was posted on nor the destination, that also calls on a cookie or javascript function or something similar in the browser of the person who clicked it, in order to see who clicked it and what their destination was?
I ask this because back in ~2021 there were a few communist twitter accounts that DM’ed their followers a strange / extremely long URL, apparently after their accounts were hacked. The link redirected to IG where some people said they were logged in to an account that had their real identity associated with it, and it caused a bit of a stir, but I never heard anything more about it. I have always wondered about this since it happened
The URL is meant to be a unique string to identify the location of a resource, it can have quite a bit of extra information encoded that only the server called knows what to do with, so its trivially possible to encode the URL of the resource a user wants to access into a completely different URL. The server at that location decodes the information and redirects the user to the location they are actually looking for.
This is why URL minifiers like tinyurl.com are considered harmful but much more impactful is googles amp project which is also noticed less.
I hope I understood you correctly.
Edit: to expand on the threat scenario you posted, a 3rd party can create a URL that goes to a server they control. Encoded in that string can be identifiers to see where/who a user got the link from and where they should be redirected to. When a user clicks that URL that information plus the standard metadata of a browser request get transmitted to the server. The server then can serve a webpage that reads and/or places cookies, calls some JavaScript function to phone more information about the user home and then redirects the user to the location that was encoded in the URL the user originally clicked.
See https://www.amiunique.org/ for more information on browser fingerprinting.
This is more noticeable to the user who might see a blank page for a split second before their browser processes the redirection request. A less noticeable option would be to send a redirection command instead of a webpage, the attacker still gets the browser metadata of the initial request plus any identifiers in the URL and the user might not notice since the only change visible to them is in the address bar of their browser. But the attacker can’t place cookies or read extra information of the browser.
tyvm for the explanation :)
What likely happened was that someone found and took advantage of an instagram exploit that allowed for cross site scripting. In other words, the instagram server allowed for a 3rd party server to steal cookies or something like that from the instagram session. It’s very likely that whatever code was executed (or instagram fixing the exploit) just resulted in the users being redirected to their main account or whatever so it didn’t look like anything out of the ordinary.
Agreed. This should be easy enough to implement, no?
EDIT: if we’re scrubbing metadata from posted images we should absolutely be doing this.
deleted by creator
Oh I know, I mean that the precedent of metadata scrubbing points toward url cleaning as well, imo.
deleted by creator
Firefox started to have “copy without site tracking” on right click as an option.
Doesn’t always work, but at least it’s something. There might websites that do that too, but people here also forget to use archive links so idk how enforceable it is.
At least there’s the bot comments that do a private front end for links to big sites sometimes, but yeah people should be more careful about helping to build shadow profiles that’ll probably exist regardless.
Doesn’t always work, but at least it’s something
The ClearURLs extension has a very robust link copying tool, but I think if we’re relying on the users to have initiative about link cleaning then we’re only as private as the least compliant users on this site.
