this post was submitted on 03 Jan 2024
137 points (100.0% liked)

hexbear

10261 readers
27 users here now

Now that the old Hexbear fork has been officially abandoned, this community will be used as a space for meta-discussion on the site itself.

founded 4 years ago
MODERATORS
 

I've noticed a rise in people sharing links to YouTube, Instagram, Twitter, TikTok, and reddit that include tracking parameters in the URL.

It might largely be harmless for now, but it's not good to let companies build a web of links between users of this site, and to link the usernames of users on this site to their off-site accounts, which may include sensitive info.

SM URL Part Appearance in URL Filtration technique
Youtube Query ?si=* Remove query string
Instagram Query ?igshid=* Remove query string
Twitter Query ?t= Remove query string
Tiktok Subdomain and path (vm/vt).tiktok.com/(random_string) Block
reddit Path /(sub_name)/s/(random_string) Block

This site should only allow canonical links to the content to limit the information exposed.

all 34 comments
sorted by: hot top controversial new old
[–] [email protected] 52 points 10 months ago (2 children)

yup. tiktok keeps recommending me to add a user here as a friend because I clicked through from a tracking link on hexbear months ago now.

[–] [email protected] 21 points 10 months ago
[–] [email protected] 10 points 10 months ago (1 children)

Yeah I’ve followed half a dozen people from here. Y’all repost good shit.

[–] [email protected] 12 points 10 months ago

the word "hextok" enters my mind unbidden... who knows what forces we have unleashed

[–] [email protected] 35 points 10 months ago (1 children)

Yeah... As much as I wish it were not a problem for this site to solve, much like nitter/invidious/etc. links were better solved by a browser extension, It's such a dangerous practice to allow this for a place that values opsec, that I really think we should get to work on it. Maybe upstream lemmy would accept it as well, we certainly aren't the only privacy focused instance out there.

Another one I'd add:

SM URL Part Appearance in URL Filtration technique
StackExchange Path /<answer_id>/<referrer_id> Remove final path element
[–] [email protected] 23 points 10 months ago (1 children)

Yeah, maybe it's better to take it to dessalines instead of keeping it on hb

StackExchange

Good call especially since we know the FBI used data from them in one high-profile sting already lol

[–] [email protected] 9 points 10 months ago* (last edited 10 months ago)

I am very much in favor of getting as many of these as convenient off Hexbear. I made a smaller thread about I think the twitter ones a long time ago and it didn't go anywhere at the time.

Don't forget the general purpose UTM ones:

utm_content=site-enterprise-button&utm_source=organic&utm_medium=website&utm_campaign=null

These are used across the net, various sites document what they are, like this one: https://mailchimp.com/resources/utm-links/

[–] [email protected] 28 points 10 months ago (1 children)

Firefox started to have "copy without site tracking" on right click as an option.

Doesn't always work, but at least it's something. There might websites that do that too, but people here also forget to use archive links so idk how enforceable it is.

At least there's the bot comments that do a private front end for links to big sites sometimes, but yeah people should be more careful about helping to build shadow profiles that'll probably exist regardless.

[–] [email protected] 22 points 10 months ago

Doesn't always work, but at least it's something

The ClearURLs extension has a very robust link copying tool, but I think if we're relying on the users to have initiative about link cleaning then we're only as private as the least compliant users on this site.

[–] [email protected] 28 points 10 months ago* (last edited 10 months ago) (2 children)

Agreed. This should be easy enough to implement, no?

EDIT: if we're scrubbing metadata from posted images we should absolutely be doing this.

[–] [email protected] 4 points 10 months ago

Now that the thread quietened down, I did want to comment on image sharing as well. We already know that Facebook implements tracking in metadata, but there is a concern that they might resort to advanced steganography to link images shared on other sites to their origins. If you're familiar with unsee(.)cc, they implement this by just straight up plastering your IP over the image, but this could be taken further by encoding dots or some wave pattern. Combatting this is really difficult, and I don't expect us to be able to do much. Personally I've been applying a slight imperceptible distortion to images which I shared from somewhere I expect to get tracked on, but that's extremely overkill. Just wanted to share, since I doubt I'll get another outlet.

[–] [email protected] 25 points 10 months ago (1 children)

The ClearURLs extension is a great for this as it automatically removes the tracking bit from major sites. It doesn't detect everything though so still good to be wary

[–] [email protected] 7 points 10 months ago

Thanks for the rec, just added this to my browser

[–] [email protected] 22 points 10 months ago

In the meantime, Firefox desktop has a function where you can right-click a link and "Copy Link Without Site Tracking," but implementing this Lemmy-wide would be best

[–] [email protected] 15 points 10 months ago* (last edited 10 months ago) (1 children)

Tiktok links can be scrubbed of their tracking by resolving them one time, letting the 9-character random alphanumeric unique string be resolved out in a web browser upon visit to a 19-character numeric only video identifier plus separated tracking parameters, and then cleaning up the GET parameters that come out when you resolve it. See this post I made a while ago https://hexbear.net/post/216322?scrollToComments=false

[–] [email protected] 12 points 10 months ago (1 children)

Really good point, but in my opinion this should be left to the person doing the posting. If Hexbear implements this link resolution on the server, it could potentially be used to link the user to Hexbear itself. Again, very paranoid, but I think it's more pragmatic to just block. Alternatively, proxitok can be used to resolve the deobfuscated URL, thereby the user isn't linked back to Hexbear, but this is significantly more complicated and leaves Hexbear dependent on a third-party service.

[–] [email protected] 8 points 10 months ago

yeah it's probably best if we prevent submission of such links with a pointer to instructions on how to deobfuscate the url.

[–] [email protected] 14 points 10 months ago* (last edited 10 months ago) (1 children)

For users submitting links in the meantime, on Android there's URL sanitizing apps that add "share providers", like "URLCheck" (fdroid, github), so if you're generating share links on Android you can send them to that app first or make it your default URL handler and let it sanitize the links on your clipboard.

Probably worth going to upstream Lemmy, though I guess ultimately federated links should be subjected to the same sanitization as as links submitted here directly.

There's code out there that can be implemented, probably best as some updateable list of regex filters per domain that instances can be maintained in between backend updates.

[–] [email protected] 7 points 10 months ago

This seems useful. I have a redirect extension on my computer but still do a lot of link sharing with friends on discord. Always hated how modern links are 98% tracking data. I've occasionally manually stripped out all the extra shit when I realized I posted a link that is a wall of text but having an app do that on the go sounds great.

Most of my friends don't really do tech and don't really care about this stuff but I try to avoid metadata spam or affiliate linking where I can.

[–] [email protected] 10 points 10 months ago

I like that FireFox has recently added a "Copy Link Without Site Tracking" option in the context menu when you right-click a link.

I've always manually removed all that garbage from links anyways, but now it's even easier.

[–] [email protected] 8 points 10 months ago* (last edited 10 months ago) (2 children)

I have a question adjacent to this topic: Is it possible for someone (3rd party) to construct an elaborate tracking link that bounces through a server they themselves control -- neither the site the link was posted on nor the destination, that also calls on a cookie or javascript function or something similar in the browser of the person who clicked it, in order to see who clicked it and what their destination was?

I ask this because back in ~2021 there were a few communist twitter accounts that DM'ed their followers a strange / extremely long URL, apparently after their accounts were hacked. The link redirected to IG where some people said they were logged in to an account that had their real identity associated with it, and it caused a bit of a stir, but I never heard anything more about it. I have always wondered about this since it happened

[–] [email protected] 4 points 10 months ago* (last edited 10 months ago) (1 children)

The URL is meant to be a unique string to identify the location of a resource, it can have quite a bit of extra information encoded that only the server called knows what to do with, so its trivially possible to encode the URL of the resource a user wants to access into a completely different URL. The server at that location decodes the information and redirects the user to the location they are actually looking for.

This is why URL minifiers like tinyurl.com are considered harmful but much more impactful is googles amp project which is also noticed less.

I hope I understood you correctly.

Edit: to expand on the threat scenario you posted, a 3rd party can create a URL that goes to a server they control. Encoded in that string can be identifiers to see where/who a user got the link from and where they should be redirected to. When a user clicks that URL that information plus the standard metadata of a browser request get transmitted to the server. The server then can serve a webpage that reads and/or places cookies, calls some JavaScript function to phone more information about the user home and then redirects the user to the location that was encoded in the URL the user originally clicked.

See https://www.amiunique.org/ for more information on browser fingerprinting.

This is more noticeable to the user who might see a blank page for a split second before their browser processes the redirection request. A less noticeable option would be to send a redirection command instead of a webpage, the attacker still gets the browser metadata of the initial request plus any identifiers in the URL and the user might not notice since the only change visible to them is in the address bar of their browser. But the attacker can't place cookies or read extra information of the browser.

[–] [email protected] 2 points 10 months ago

tyvm for the explanation :)

[–] [email protected] 3 points 10 months ago* (last edited 10 months ago)

What likely happened was that someone found and took advantage of an instagram exploit that allowed for cross site scripting. In other words, the instagram server allowed for a 3rd party server to steal cookies or something like that from the instagram session. It's very likely that whatever code was executed (or instagram fixing the exploit) just resulted in the users being redirected to their main account or whatever so it didn't look like anything out of the ordinary.