Link Tracking in Popular Browsers

Updated 20 April 2019 and 22 April 2019. Updates embedded in the original post and some areas reworded/trimmed to aid clarity.


Several major web browsers (specifically Chrome, Safari and Edge) are all enabling a tracking feature by default and removing the means to disable it. This is the hyperlink auditing, or ping, feature in HTML5 that has been in the standard for some time, but now the World Wide Web Consortium (W3C), who manage the HTML5 standard, are making this a required feature to be supported in modern browsers. What the privacy advocates are complaining about seems to be that the ability to switch this feature off is being removed, and not that it exists in the first place which in my way of thinking should have been addressed 11 years ago when the standard was drafted. However, back then, privacy wasn’t such a big thing.

What happens now?

When you click on a link in a web browser, particularly from a search engine like Google, the source site wants to know where you went when you click the link they gave you. Reasonable you might think since they want to see how effective the search engine is.

If in Chrome you right click a link and select ‘Copy Link Address’ and paste what comes back into a text editor (e.g. Notepad on Windows), you will see the URL the webpage is sending you to. I did this on Chrome when I searched for ‘IMDB’ on Google. What came back was:

https://www.imdb.com/

Reasonable you might think. However, if you look deeper and select instead the ‘Inspect’ option, you get the developer tools displayed and you can see the code behind it. The important part is shown below:

The important part is highlighted and is what follows the ‘ping=’ part. This will call back to Google and provide a direct tracking record from the link you clicked. If you login to Google on Chrome (or for that matter any of the major browsers), this will be recorded in your profile and browsing history back at Google.

In FireFox, doing the same thing yields a different result since this ping tracking is disabled by default. Right clicking the search result for IMDB on Google and saving the address shows:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwjutuq-uc3hAhXYQxUIHeTvBXMQFjAAegQIBRAC&url=https%3A%2F%2Fwww.imdb.com%2F&usg=AOvVaw0bfSGQSfl6hZdrs13lj3BU

The resulting backend code showed the following:

What is happening here is that Google returned a different URL for the search result. This is known as a redirect that calls back to Google with a tracking identifier back to the original search result. Google then returns the actual URL for the site you want to go to. You might have noticed sometimes that your address bar flashes different text as you access a website. This is the redirection happening.

The PING function has only one official function – to track your activity. The redirect has a number of different functions, but has been abused to perform tracking.

What’s the big deal here?

The PING function is all about tracking, and has really no other official function. Privacy advocates are complaining as this is just another way for your data to be leaked back to websites and now there is no way to stop it.

If this was limited to just tracking, I personally don’t see what all the fuss is about. Google (et al) are going to track you one way or another (via a redirect or via the ping tracking function), so I guess we have to live with it.

Update 20/4/19: The Hyperlink Auditing/PING function has a side effect that allows an attacker to initiate a Distributed Denial of Service (DDoS) attack from your browser by rewriting the PING string from JavaScript. In order for this to happen, an attacker would have to inject malicious JavaScript into a webpage (by no means impossible especially over http (not https) using a man-in-the-middle attack, or through the website getting hacked), and once there is can do the rewrites.

Imperva Research have uncovered such an attack which utilized these HTML pings to perform distributed denial of services attacks on various sites. In one attack, which peaked at 7500 requests per second, a total of 70 million requests were generated from approximately 4,000 IP address over the course of 4 hours.

Conclusion

For the most part, no-one is going to notice this. It has been happening all the time for several years and it is only now that it becomes a mandated feature without a means to switch it off that people are complaining.

Update20/04/19: The W3C could update the HTML5 specification to only allow the PING function to operate off the originating domain, but today the PING function can ping any URL/domain it likes. This would effectively mitigate the JavaScript vulnerability (se also the tip below).

Update (22/4/19): Mozilla (the owners of the FireFox browser) have announced (via Bleeping Computer) that they will be enabling the PING function by default in a future release of the browser, whereas before they had disabled it by default and allowed for a browser switch to enable it if the user desired. There is no indication that the feature to disable this using a browser switch will be provided. For now the Brave browser is the only holdout, but guessing it will only be a matter of time before they also capitulate and enable it by default.

TIP: uBlock origin Blocks the PING Feature.

Update 20/4/19: If you use the uBlock Origin Ad-Blocker extension in your web browser, there is a feature in the settings tab called ‘Disable Hyperlink Auditing’ that appears to effectively block the PING feature. This is enabled by default. I have inspected the extension in Chrome, FireFox and Edge and it is enabled by default in all of these. I have not checked safari, but guess it is there too.

Another reason to use uBlock Origin!!

Comments are closed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: