top | item 27048431

(no title)

jacobajit | 4 years ago

A particularly bad instance of link tracking I've found is in TikTok's link sharing feature.

If you share a link from the TikTok app, it gives you a vm.tiktok.com/[xyz] link to send/post elsewhere. It gives you no indication that this isn't a generic link to the post, nor does it give you an option to expose the generic link to the post.

Instead, when you share that link and someone clicks on it and does not have the app, it opens with a header saying "[First Last] is on TikTok." On the other hand, once you do click on that link (if and only if you don't have the app installed), you get redirected to the static link to the video and finally obtain it.

This is an anti-pattern that enables further tracking and potentially unknowingly exposes user data when links are shared publicly. And there's no indication to the user that this is happening, since the link is structured as if it does not contain any tracking. Ie a tool like this wouldn't be able to "strip out" the tracking since it isn't tacked on in any way, but embedded as the generated link itself.

discuss

gonehome|4 years ago

That’s pretty bad. I think TikTok’s risks are higher than people think. It’s better to avoid it.

https://stratechery.com/2020/the-tiktok-war/

Any company running out of mainland China is going to have serious privacy problems due to CCP influence and their need to comply with both local laws and the government’s interest in influencing public sentiment.

madeofpalk|4 years ago

As a non-american, we don't really have a choice of using a "native" social network that only has interference from our own government.

calvinmorrison|4 years ago

Any company running out of mainland USA is going to have serious privacy problems due to USA influence and their need to comply with both local laws and the government’s interest in influencing public sentiment.

userbinator|4 years ago

With websites, at least you can just copy the URL from the address bar and clean it. Of course, people are being slowly dumbed down by browser's (mostly Chrome, but Firefox seems to follow its stupid trends not long afterwards) attempts at removing or hiding the URL, which is no surprise when you realise that herding the userbase to use dedicated "share" buttons (complete with tracking) is one of the reasons they're doing that.

DangerousPie|4 years ago

What's to stop a website to do the same thing with the URLs in your address bar?

imiric|4 years ago

Stack Overflow does something similar, and adds a user tracking ID to any shared link, though apparently it's possible to remove it without breaking the link[1].

I only noticed when I received a badge for how many times it was clicked, and even though it's not nefarious I'd still prefer it to be opt-in rather than done by default.

[1]: https://meta.stackoverflow.com/q/277769

joshstrange|4 years ago

Yes, I regularly warn people on Reddit that their full name is being leaked in the TikTok link they shared. I have an iOS shortcut that expands the URL and chops off the gross tracking stuff so I can share links in private/public without exposing my TikTok "name" (I don't link any accounts and my name is made up).

ehsankia|4 years ago

> I have an iOS shortcut that expands the URL and chops off the gross tracking stuff

Ooo, that's pretty neat. I wonder if something similar can be achieved on Android. I usually manually paste it in chrome and copy the redirect, although I also enable desktop view to not get the mobile link.

Breza|4 years ago

VRBO is another egregious example. My friend asked what I thought about a house she was thinking of renting for a trip. VRBO wouldn't let me view the link on my phone unless I downloaded their app. I had her copy and paste the house's description which I then Googled to get to the right listing.

milofeynman|4 years ago

When twitter's snowflake was lengthened recently I was worried they might be doing this too. I'm afraid of the big ones moving to this. Spotify, instagram, twitter, etc

ddorian43|4 years ago

Where was it lengthed ?

space_fountain|4 years ago

A fun/weird result of this that the interface in the link is in the language of whoever generated the link not your browser’s language

1vuio0pswjnm7|4 years ago

Assuming any certificate pinning can be defeated, it is easy to manipulate URLs with a loopback-bound forward proxy. Would be great if someone provided example of one of these TikTok URLs so we could investigate.

jtbayly|4 years ago

But this can be solved, too, can’t it? It’s effectively a Bitly link. Just need to auto-expand to the final destination, right?

plorg|4 years ago

I have a self-written set of userscripts that does this, as well as unsetting javascript link rewrites and including bitly link expansion and Amazon URL decluttering. I would love to be able to use it on Firefox for Android again, but I don't see them enabling e.g. Tampermonkey any time soon.

If any shortlink uses bitly as a backend, you can expand it yourself by copying the link and adding a "+" at the end, bringing you to the bitly properties page for that link.

yewenjie|4 years ago

I use Universal Bypass for these kind of links.

https://universal-bypass.org/

black_puppydog|4 years ago

Piece of cake. I'm sure there's an app for that, which incidentally needs access to your location data... /s

zuppy|4 years ago

that's not the problem, you can easily expand the url with curl (it will probably be a redirect) and manually remove the parameters. the problem is that it is not obvious to you that the link contains personally identifiable information.

3np|4 years ago

Discord does something very similar

vagrantJin|4 years ago

This is needlessly alarmist.

A short video platform can hardly be expected to be a paragon of security and privacy. It has no utility whatsoever. I don't see where the concern comes from. A video of someone drinking coffee does not particularly invoke a point of concern.

What may be the real concern is China and the fact that the app is tied to it. Thats more race/geo-politics/war-mongering issue than a privacy concern.

oauea|4 years ago

You can't be serious. If what the gp says is true, then tiktok leaks your full name to anyone you share a link to. I see your HN username, nor bio, mentions your full name. Perhaps you are comfortable sharing this with anyone you communicate with online, but I'm not.