There is a little-known but widespread privacy and security problem: telltale URLs. They allow third parties access to information that customers provide during online transactions. This often includes personally identifiable information (PII) such as name, address, phone number, email address, credit card information, travel plans or even passport number. Filling in online forms with our personal information is part of our daily transactions with companies. When you order food, buy concert tickets or book a flight online, you will usually receive an email confirmation with a unique URL that, when clicked, takes you directly to an order/booking details page, with no need to log back into the site. On this page you can check your order again, make changes or cancel a booking. This is convenient but sometimes dangerous.

How third parties can access personal booking data

Of course, you assume that the information on the order/booking details page can only be accessed by yourself. However, this data can be viewed by anyone who has access to the web address of this page. The URLs, linked in confirmation emails, often contain specific strings that are used as a unique identifier. Whoever gets access to these unique URLs can simply open them (be it manually or using bots) and see, extract and even change or delete the personal information you provided as a part of your online transaction.

The Lufthansa booking details page contains contact data such as name, email address and phone number.

Now, you may ask: “These transactions are between me and my service provider’s website or app. How do external entities get access to these URLs?“ Here’s where third-party tracking scripts come into play. E-Commerce companies often add these third-party scripts to their websites and apps to provide analytics, advertising and other plug-in functionality. When not carefully implemented, these scripts can capture the unique URLs pointing to an order/booking details page – meaning that third parties now have access to all that data.

Customers of Lufthansa, Emirates, FedEx, Foodora and JustFly affected

We already discussed at length how careless some companies are when it comes to your data and your privacy. Another example in this case is Lufthansa. The link in their usual confirmation email leads to a booking details page where passenger data including visa information and passport numbers can be changed, all of which are stored in plain text. In addition, all payments you made during the transaction can be viewed and your receipt can be downloaded. It is also possible to print your itinerary. As already mentioned, all this works without having to log into the Lufthansa website again – one click on the unique URL is enough!

Even passport data can be viewed or changed on the Lufthansa booking details page without authentication.

When you book your flight through Lufthansa, there are many data points related to your booking. The moment you click on ‘view / edit booking’ to select a seat for your trip or to check-in to your flight, details unique to your booking are passed on to different third-party trackers like Exactag, Webtrends, and Google among others. Theoretically, this information can later be used to create a detailed profile of how the user navigates on different websites and to learn who that actual user is. And Lufthansa is by no means an isolated case. This problem of leaking user information is definitely not limited to a few but is widespread among most of the websites you can think of. Similar issues can be observed with Lufthansa competitor Emirates, the food delivery service Foodora, the courier delivery service FedEx and the online travel agency JustFly. Even healthcare websites are affected.

Local Sheriff chases down the bad guys

Most of the time, neither the e-commerce companies nor their customers are aware of the potential privacy leaks caused by telltale URLs. To show and educate the users about the extent of privacy leaks, Cliqz has developed the experimental browser extension Local Sheriff, which was recently presented at the Defcon Demo Labs in Las Vegas (For more details, see this Threatpost article). Think of Local Sheriff as a reconnaissance tool in your browser for gathering information about what tracking companies know about you.

Local Sheriff reveals which websites share/leak which data points to which third parties in form of telltale URLs.