Major Browsers to Prevent Disabling of Click Tracking Privacy Risk

By April 7, 2019 Ethereum
Click here to view original web page at www.bleepingcomputer.com
Privacy

A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is a HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.

To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable as shown below.

Ping HTML Link
Ping HTML Link

This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL of https://www.bleepingcomputer.com/pong.php, so users will not even realize this is happening unless they examine the sites source code.

Hover shows link URL, but not ping back URL
Hover shows link URL, but not ping back URL

When a user clicks on the above link, the browser will first send a POST request back to the ping URL https://www.bleepingcomputer.com/pong.php as shown below. It will then open the www.google.com page. This means that everytime a user clicks on a hyperlink audited link, the browser will make two requests instead of one.

Example Ping POST Request
Example Ping POST Request

Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to. The headers associated with the information sent in the ping request are shown below.

    [HTTP_PING_FROM] => https://www.bleepingcomputer.com/ping.html
    [HTTP_PING_TO] => https://www.google.com/
    [CONTENT_TYPE] => text/ping

As you can see, using Hyperlink Auditing developers can track link clicks from any web property that they have access to.

Most browsers wont let you disable in the future

With privacy and online tracking being such a large problem and major concern for many users, you would think that browser developers would give you the option to disable anything that could affect your privacy.

Unfortunately, this seems to be going in the reverse direction when it comes to hyperlink auditing.

According to developer Jeff Johnson, Safari enabled hyperlink auditing by default, but allowed you to disable it by using the following hidden preference.

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

Johnson has stated that this flag no longer works with Safari 12.1.

"Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341," Johnson stated in a blog post. "Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I'll quote the full text of the Radar that I filed:"

Google Chrome also enables this tracking feature by default, but in the current Chrome 73 version it includes a "Hyperlink auditing" flag that can be used to disable it from the chrome://flags URL.

Chrome 73 Hyperlink Auditing Flag
Chrome 73 Hyperlink Auditing Flag

In the Chrome 74 Beta and Chrome 75 Canary builds, though, this flag has been removed and there is no way to disable hyperlink auditing.

No Hyperlink auditing flag in Chrome 74
No Hyperlink auditing flag in Chrome 74

The current version of Microsoft Edge also enables hyperlink auditing by default and provides no way to disable it that I could find. I also took a look at the upcoming Microsoft Edge Insider build and as it's based on Chromium 75, there is no way to disable hyperlink auditing on that browser either.

Like Edge, Opera is also based on Chromium, and the Opera 61 Developer build removes the option to disable hyperlink auditing as well.

Finally, I also tested it the mobile versions of Chrome and Safari and its enabled by default with no way of disabling it.

What this means is that starting next month when Chrome 74 is released to the stable branch, the Edge, Chrome, Opera, and Safari browsers will no longer offer a way of disabling this tracking feature and privacy risk.

Firefox and Brave win the award

Of all the browsers I tested, only Brave and Firefox currently disable it by default and do not appear to have any plans on enabling it in the future.

Firefox 66, Firefox Beta 67, and Firefox Nightly 68 disable Hyperlink auditing by default and allow users to enable it using the browser.send_pings about:config setting.

Firefox 66 Setting
Firefox 66 Setting

The privacy focused Brave Browser also disables it by default and does not allow you to enable it at all. It does have a display bug in the brave://flags that show that Hyperlink auditing is enabled, but this is a carryover from Chrome and is not displayed correctly.

Going forward, if privacy is important to you and you want to reduce the risk of being tracked online, then you will need to use Firefox or Brave.

Leave a Reply