Major browsers to prevent the deactivation of the privacy risk

browsers privacy risk

New versions of Chrome, Safari, and Opera will stop disabling hyperlink auditing that is a concern for anyone seeking maximum confidentiality. While you have previously allowed some of these browsers to disable this feature, newer versions are moving in the opposite direction.

Hyperlink auditing is an HTML standard for tracking clicks on website links. This is done by creating special links that are returned when clicked to a specified URL. These pings are made by POST on the specified web page, which can then check the headers of the application to see from which page the click came.

A normal HTML hyperlink tag can be created to create a hyperlink audit URL, but a ping=”[url] “variable is also included as shown below.

This will make the page a normal link to Google.com and show you the target URL only if you hover over it. This does not show the https:/www.bleepingcomputer.com / pong.php ping – back URL, so users will not even realize it unless they examine the website source code.

hover

                                                           Hover shows link URL, but not ping back URL               

The browser will first send a POST request to the https ping URL:/www.bleepingcomputer.com / pong.php as shown below when you click on the link above. The page of www.google.com will then be opened. This means that the browser requests two instead of one each time a user clicks on an audited hyperlink.

ping

Example Ping POST Request

Scripts receiving the Ping POST request can then scan the headers to see which page the Ping came from and the audited link. Below are headers linked to the information sent in the ping request.

[HTTP_PING_FROM] => https://www.bleepingcomputer.com/ping.html

[HTTP_PING_TO] => https://www.google.com/

[CONTENT_TYPE] => text/ping

As you can see, developers can track links from any web property they have access to by using Hyperlink Auditing.

Most browsers will not let you disable in the future

With online privacy and tracking as such, and with many users, you’d think browser developers would allow you to deactivate anything that affects your privacy. Unfortunately, this seems to be going in the reverse direction when it comes to hyperlink auditing. According to developer Jeff Johnson, Safari has enabled a default hyperlink audit but allowed you to deactivate it with the following hidden preference.

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

Johnson said this flag doesn’t work anymore with Safari 12.1.

“Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341,” Johnson stated in a blog post. “Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I’ll quote the full text of the Radar that I filed:”

Google Chrome also permits this tracking feature by default, but includes a “hyperlink audit” flag in the existing Chrome 73 version that can be used to disable this feature using the chrome:/flags URL.

hyperlink

Chrome 73 Hyperlink Auditing Flag

In the Chrome 74 Beta and Chrome 75 Canary builds, however, this flag has been removed and hyperlink auditioning can not be deactivated.

no hyperlink flag

No Hyperlink auditing flag in Chrome 74

Microsoft Edge’s latest version allows hyperlink auditing by default and does not disable it. I also looked at the upcoming Microsoft Edge Insider build and there’s no way that hyperlink audits can be disabled on this browser because Chromium 75 is based.

Like Edge, Opera is also based on Chrome, and Opera 61’s Developer build also removes the option to disable hyperlink auditing.

Finally, I tested mobile versions of Chrome and Safari and they are not disabled by default.

What this means is that the browsers Edge, Chromium, Opera, and Safari are no longer able to disable this tracking feature and privacy risk from the beginning of the month when Chrome 74 is released to the stable branch.

Firefox and Brave win the award

All the browsers that I have tested only default for Brave and Firefox and it does not appear to have any plans in the future to enable it.

Deactivating Hyperlink auditing by default, Firefox 66, Firefox Beta 67, and Firefox Nightly 68 enables users to use.send pings about: config settings.

firefox-config

Firefox 66 Setting

The Brave Browser focused on privacy also disables it by default and can not be enabled. It has a display bug in the flags which shows that Hyperlink auditing is enabled, but it’s a Chrome transportation system and isn’t displayed correctly.

If you want to reduce the risk of being tracked online and privacy is important, you will need to use Firefox or Brave.

More commonly used than originally thought

When the article was first published, some commented that this feature is often not used compared to other tracking methods such as JS and redirects.

Google uses hyperlink auditing in its search result pages. Whenever you click on a search result link, a HTTPS POST request will also be returned to a Google url in order to track your click.

google-serps-img

Hyperlink auditing being used in Google

Update 4/7/19: The first paragraph has been cleared up.

Update 4/8/19: Added Google SERP information via hyperlink auditing.

Article credit: bleeping computer

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.