January 2, 2021
This Christmas, a family member sent me a URL to a family Zoom call. However, they didnt send me a direct link to Zoom. Instead, they sent me atinyurl.com link.
When I clicked on the link, my URL bar flashed an intermediate domain that was neither Zoom nor TinyURL. Later, I used cURL to see where this URL was really going.
$ curl -v https://tinyurl.com/examplezoom
> GET /examplezoom HTTP/2
> Host: tinyurl.com
< location: https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC
(all HTTP responses abridged for clarity)
Sure enough, the redirect wasnt clean at all. TinyURL was first sending me to VigLink1. VigLink is an advertising tracking company that specializes in affiliate marketing.
Following the redirect in cURL reveals another unsavory fact. VigLink sets cookies before they send me to the intended destination on Zoom.
$ curl -v ‘https://redirect.viglink.com?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC’
> GET /?key=a7e37b5f6ff1de9cb410158b1013e54a&u=https%3A%2F%2Fzoom.us%2Fj%2F123456789&prodOvrd=RAC HTTP/1.1
> Host: redirect.viglink.com
< Set-Cookie: vglnk.PartnerRfsh.p=; Domain=.viglink.com; Path=/; SameSite=None; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure
< Set-Cookie: vglnk.Agent.p=v-c935c520ecc561fe60a9418874e023b7; Domain=.viglink.com; Path=/; SameSite=None; Expires=Mon, 01 Feb 2021 16:52:34 GMT; Secure
These cookies give them the ability2 to track me across every other site that uses their advertising tech. Who knows what VigLink is doing with my data, but I personally wouldnt trust an advertising company to keep my browsing history to themselves.
Dont use URL shorteners. And if you click on a link from a URL shortener, I recommend using tools like the Temporary Containers Firefox extension to limit the scope of ad tracking. Personally, I took the time to send Sovrn (VigLinks parent company) a GDPR request, and made sure to give them my tracking cookie. Ill update this blog and my newsletter if I actually get anything substantive back.
- Their main website was initially blocked by my ad-blocking software. I figured Id just link to Wikipedia here.
- Browsers like Safari and Firefox are getting better at catching these drive-by attempts to set cookies. I applaud those efforts, but since this type of tracking works in many cases and is explicitly limited by privacy law, I think its still noteworthy.