How to protect your information with Local Sheriff

Watching them watching us

What is a TellTale URL ?

A URL is the most commonly tracked piece of information. The innocent choice to structure a URL based on page content can make it easier to learn a users’ browsing history, address, health information or more sensitive details. They contain sensitive information or can lead to a page which contains sensitive information.

We call such URLs as TellTaleURLs.

Let’s take a look at some examples of such URLs.

EXAMPLE #1:

Website: donate.mozilla.org (Fixed)

After you have finished the payment process on donate.mozilla.org, you are redirected to a “thank you” page. If you look carefully at the URL shown in the below screenshot, it contains some private information like email, country, amount, payment method.

PII in URL on donate.mozilla.org

Now because this page loads some resources from third-parties and the URL is not sanitised, the same information is also shared with those third-parties via referrer and as a value inside payload sent to the third-parties.

URL with PII shared when fonts being loaded from Google Apis.

In this particular case, there were 7 third-parties with whom this information was shared.

Mozilla was prompt to fix these issues, more details can be found here: https://bugzilla.mozilla.org/show_bug.cgi?id=1516699

EXAMPLE #2:

Website: trainline.eu, JustFly.com (Last checked: Aug’18)

Once you finish a purchase like train tickets / flight tickets, you receive an email which has a link to manage your booking. Most of the time, when you click on the link, you are shown the booking details - without having to enter any more details like booking code, username/password.

This means that the URL itself contains some token which is unique to the user and provides access to the users’ booking.

It so happens that these URLs are also shared with third-parties, giving these third-parties highly sensitive data and access to your bookings.

JustFly.com leaking bookingID to 10 third-party domains

trainline.eu sharing booking token with 17 third-party domains.

URL with token being shared via Ref and inside the payload.

EXAMPLE #3:

Website: foodora.de, grubhub.com (Last checked: Aug’18)

One of the pre-requisites to order food online is entering the address where you want the food to be delivered.

Some popular food delivery websites, convert the address to fine latitude-longitude values and add them to the URL.

The URL is also shared with third-parties, potentially leaking where the user lives.