How is facebook tracking our (outgoing) URLs?

Mattias Geniar, Wednesday, March 30, 2011

Perhaps I'm one of the few, but I always check the location-URL that shows up in the statusbar when you hover over a link. Just to avoid people showing a link to "site.be" which would in fact direct you to "random.be". By doing so, you'll learn a lot about who 's tracking your clicks etc.

But not everyone makes it so obvious to decipher it, and that includes our beloved Facebook. Take the screenshot below, for example. I hover over the "F.lux" URL, and the statusbar shows that I would be redirected to the URL I was expecting.

However, that's not what happens when you click on it. In fact, you get redirected to the following URL:

http://www.facebook.com/l.php?u=http%3A%2F%2Fstereopsis.com%2Fflux%2F&h=833ba

By simply decoding the URL-encoded chars, it's obvious what the real link is:

http://www.facebook.com/l.php?u=http://stereopsis.com/flux/&h=833ba

So then mr. Zuckerberg, how are you tracking us? My best guess would have been javascript events that are added on all "<a href>" elements on the page that are fired upon mouseclick. That keeps the source code intact (since they fire client-side), and makes it a lot harder to track it. (at least, that's how I attempted to do it with my firefox extension)

Here's what such an URL actually looks like.

<a href="http://stereopsis.com/flux/" target="_blank" rel="nofollow" onmousedown="UntrustedLink.bootstrap($(this), &quot;833ba&quot;, event, bagof(null));">F.lux</a>

So they're dealing with it using onmousedown events, not by adding event handlers on all found URLs. The result remains: the client sees the real URL on mouseover, but the underlying java-script deals with the actual tracking. And this still works on people that have javascript disabled in the browser.

I'm not sure how long this has been happening, but I've only just recently noticed it. Probably because the redirect-page took slightly longer to load, and thus showed the actual URL in the browser.

All things considered, it's a good way to hide your tracking. I'm worried whenever I see a link that differs from what I mouseover, and I feel more "at ease" (no matter how much trickery is still at play) when I see that they match as I would have expected.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Dries Wednesday, March 30, 2011 at 21:55 - Reply

I think it is more a question about, what do they do with that information. Tracking is one thing, what they’ll use it for is another. The encoding is just a save way to get no errors, no?


    Tika Boersbroek Wednesday, March 30, 2011 at 22:44 - Reply

    “The encoding is just a save way to get no errors, no?”

    NO! It’s not to “get no errors”, it’s to build correct URIs! Not encoding it would leave you with a non qualified URI.


Matti Wednesday, March 30, 2011 at 21:59 - Reply

Indeed, URL encoding is just to be “correct”, but makes it a tad harder to read. Decoding it makes it easier again for the human eye.

It’ll give them more insight into what users do, what they’re interested in, … But they’ve probably had that info for years already …


David Geens Thursday, March 31, 2011 at 08:27 - Reply

I noticed this behaevior already from the early beginning I was using facebook. I guess it always has been there.


James Thursday, September 22, 2011 at 22:21 - Reply

Does anyone know exactly how the UntrustedLink.bootstrap() function Facebook uses works? How can you change the href of a link on mousedown without the correct URL being displayed in the status bar? Clever stuff.


real estate Tuesday, November 6, 2012 at 16:00 - Reply

When you are novice trader, you can start with only one single kind of investment.
Pick out just one home variety which you would take pleasure in starting with and merely be aware of it.

It is actually in your best interest to be
centered on 1 type and do your greatest,
rather than to spread yourself too slender and merely
do typical at multiple purchases.


Find hidden porn in my blog Tuesday, November 13, 2012 at 13:11 - Reply

Somebody necessarily lend a hand to make critically posts I
would state. This is the first time I frequented your web page and thus far?
I amazed with the research you made to create this particular submit
incredible. Fantastic process!


http://www.quovadis-poznan.biz/ Tuesday, March 12, 2013 at 10:16 - Reply

Thanks in favor of sharing such a good idea, post is pleasant, thats why i have read
it fully


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links