DEF CON 2018: Telltale URLs Leak PII to Dozens of Third Parties

When we order food online, book a plane ticket or purchase seats for a show, we often get an email confirmation with a handy link that, when clicked, takes us directly to our confirmation, with no need to log back into the site. These pages have our confirmation code, the ability to “manage bookings” to make changes or cancel a reservation, and in many cases they contain personal information such as name, address, gender, travel plans, passport numbers and more.

From a user experience point of view, it’s convenient – but also the result of a widespread online tracking topography that’s ripe for exploitation, according to Konark Modi, security and data analyst at Cliqz/Ghostery.

Modi, during a demo talk at DEF CON 26 today, showed how a little-known but widespread privacy and security issue that he’s dubbed “telltale URLs” can expose a raft of personal information to third-party tracking scripts.

These URLs are the web addresses of unique pages that represent a receipt or confirmation of an order, and they contain specific strings that are used as a unique identifier for confirmation pages. Modi explained that whoever gets access to these URLs can simply open them (be it manually or using bots) and see, extract and even change the personal information someone provided as a part of an online transaction.

In theory, these transactions are between a consumer and the company’s website or app, and, barring a man-in-the-middle attack or snooping malware implant, should be private (although Modi pointed out that many of the confirmation links are HTTP, not HTTPS, and are thus inherently insecure). The problem lies in the fact that more often than not, the service provider running the website has added third-party tracking scripts to their websites and apps to provide analytics, advertising and other plug-in functionality. And, a large part of the time, these scripts aren’t carefully implemented, and can capture the unique URLs pointing to user confirmations – meaning that these third parties now potentially have access to all that data.

Worsening the problem is the fact that commonly used tracking scripts are implemented widely across many, many websites, Modi told Threatpost. “Analytics scripts for instance are available on many different websites so, if they wanted to, the analytics company could use cookies to see how a user moves across the web, correlating information. They can see that this person has seen this article, or logged into this website—and then, they can match that up with personal details gleaned from telltale URLs.”

He added, “We can’t give proof that any of these third-parties are accessing that information, but the capability is absolutely there. And even if they’re not using it this way, what happens if they’re hacked and the data is exposed to a bad actor?”

Modi said that he became aware of the problem when he looked into Emirates’ system of booking flight confirmations when he bought personal tickets for his family on a flight last fall.

“For a layman, when you book your flight through Emirates, domestic or international, there are approximately 300 data points related to your booking,” he said. “The moment you click on manage preferences to select a seat or meal for your trip or to check-in to your flight, your booking ID and last name is passed on to approximately 14 different third-party trackers, like Crazy Egg, Boxever, Coremetrics, Google and Facebook, among others.”

His concern raised, he contacted Emirates support, kicking off a months-long interaction that finally resulted in retooling at the airline (no doubt encouraged by the EU’s General Data Protection Regulation (GDPR) implementation that happened in May).

“To be clear, it’s not just Emirates,” Modi said. “This problem exists everywhere – it’s a default situation, not a rarity. I’ve seen it with Lufthansa, global delivery service, Flixibus, GrubHub and Spotify, and even with medical providers,” adding that many of them fixed the issues once contacted.

He noted that the danger is exacerbated depending on the type of website in question.

“For food-delivery sites like Foodora or Grubhub, you have to enter a physical address, which, when combined with other information, can be narrowed down to whether it’s an office or home or traveling,” he told Threatpost. “If it’s a medical transaction, it could even have your sexual orientation and if you have taken an HIV test, or information on other tests.”

Usually, neither e-commerce companies nor their customers are aware of the potential privacy leaks, he added, noting that website owners and app developers should be building in privacy protections from the ground up.

“A lot of education needs to happen at the developer level – the implementation of analytics needs to be done in such a way that the engine can’t be used to gather more information,” Modi said. “These are basic hygiene practices – just limit the kinds of information third parties can access.”

Longer term, developers should carefully inspect why the third party is there in the first place, to whittle down the use of cookies and data-sharing.

Modi has developed Local Sheriff to help consumers understand how their data is being shared; it’s a browser extension that works in the background to identify what sensitive information is being shared/leaked to third parties and by which websites.

“People don’t understand what kind of information they’re losing to these third parties, so end-user education is part of this too,” Modi said.