URL shorteners set ad tracking cookies
This Christmas, a family member sent me a URL to a family Zoom call. However, they didn’t send me a direct link to Zoom. Instead, they sent me a “tinyurl.com” link.
When I clicked on the link, my URL bar flashed an intermediate domain that was neither Zoom nor TinyURL. Later, I used cURL to see where this URL was really going.
$ curl -v https://tinyurl.com/examplezoom ... > GET /examplezoom HTTP/2 > Host: tinyurl.com ... < location: https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC
Following the redirect in cURL reveals another unsavory fact. VigLink sets cookies before they send me to the intended destination on Zoom.
$ curl -v 'https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC' > GET /?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC HTTP/1.1 > Host: redirect.viglink.com ... < Set-Cookie: vglnk.PartnerRfsh.p=; Domain=.viglink.com; Path=/; SameSite=None; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure < Set-Cookie: vglnk.Agent.p=v-c935c520ecc561fe60a9418874e023b7; Domain=.viglink.com; Path=/; SameSite=None; Expires=Mon, 01 Feb 2021 16:52:34 GMT; Secure
These cookies give them the ability2 to track me across every other site that uses their advertising tech. Who knows what VigLink is doing with my data, but I personally wouldn’t trust an advertising company to keep my browsing history to themselves.
Don’t use URL shorteners. And if you click on a link from a URL shortener, I recommend using tools like the Temporary Containers Firefox extension to limit the scope of ad tracking. Personally, I took the time to send Sovrn (VigLink’s parent company) a GDPR request, and made sure to give them my tracking cookie. I’ll update this blog and my newsletter if I actually get anything substantive back.
Discuss this post on Hacker News
Their main website was initially blocked by my ad-blocking software. I figured I’d just link to Wikipedia here.↩︎
Browsers like Safari and Firefox are getting better at catching these drive-by attempts to set cookies. I applaud those efforts, but since this type of tracking works in many cases and is explicitly limited by privacy law, I think it’s still noteworthy.↩︎