URL shorteners set ad tracking cookies

This Christmas, a family member sent me a URL to a family Zoom call. However, they didn’t send me a direct link to Zoom. Instead, they sent me a tinyurl.com” link.

When I clicked on the link, my URL bar flashed an intermediate domain that was neither Zoom nor TinyURL. Later, I used cURL to see where this URL was really going.

$ curl -v https://tinyurl.com/examplezoom
...
> GET /examplezoom HTTP/2
> Host: tinyurl.com
...
< location: https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC

(all HTTP responses abridged for clarity)

Sure enough, the redirect wasn’t clean at all. TinyURL was first sending me to VigLink1. VigLink is an advertising (tracking) company that specializes in affiliate marketing.

Following the redirect in cURL reveals another unsavory fact. VigLink sets cookies before they send me to the intended destination on Zoom.

$ curl -v 'https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC'
> GET /?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC HTTP/1.1
> Host: redirect.viglink.com
...
< Set-Cookie: vglnk.PartnerRfsh.p=; Domain=.viglink.com; Path=/; SameSite=None; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure
< Set-Cookie: vglnk.Agent.p=v-c935c520ecc561fe60a9418874e023b7; Domain=.viglink.com; Path=/; SameSite=None; Expires=Mon, 01 Feb 2021 16:52:34 GMT; Secure

These cookies give them the ability2 to track me across every other site that uses their advertising tech. Who knows what VigLink is doing with my data, but I personally wouldn’t trust an advertising company to keep my browsing history to themselves.

Furthermore, they didn’t give me a chance to opt-out of this tracking. I’m currently based in Europe and I would expect to see at least an interstitial asking for consent to be tracked. TinyURL’s privacy policy, last updated in 2012, has no mention of either third party data-sharing nor the cookies they share from affiliates.

This isn’t a phenomenon limited to TinyURL. More common URL shorteners like t.co (Twitter) and bit.ly set cookies when you click on a link. While neither redirect you to an advertising company like TinyURL, Twitter’s primary business model is advertising, and bit.ly’s privacy policy says they share data with third parties to …provide advertising products and services…”

Don’t use URL shorteners. And if you click on a link from a URL shortener, I recommend using tools like the Temporary Containers Firefox extension to limit the scope of ad tracking. Personally, I took the time to send Sovrn (VigLink’s parent company) a GDPR request, and made sure to give them my tracking cookie. I’ll update this blog and my newsletter if I actually get anything substantive back.

Discuss this post on Hacker News


  1. Their main website was initially blocked by my ad-blocking software. I figured I’d just link to Wikipedia here.↩︎

  2. Browsers like Safari and Firefox are getting better at catching these drive-by attempts to set cookies. I applaud those efforts, but since this type of tracking works in many cases and is explicitly limited by privacy law, I think it’s still noteworthy.↩︎


Date
January 2, 2021