In essence this technique that I call “redirect tracking” works by abusing the HTTP 301 redirect mechanism to redirect each user to unique URL. HTTP 301 redirects are used by web-server to tell browsers that the requested URL is redirected “permanently” to another one. This mechanism was first designed to allow website to correct user mistakes or redirect multiples domains to a single one. Nowadays the most prominent use of 301 redirects are shortening URL services. For example when using the short URL http://bit.ly/na7YwZ to access this blog post the following interaction is taking place under the hood:
How a HTTP 301 redirect work In the first step your browser requests from bit.ly the content of the short URL. Bit.ly answers by saying that this content is permanently located at the URL. The browser caches this information and navigates to the redirected url.
The redirect tracking method works almost the same way except it use the redirect to plante the unique identifier:
When the user request the tracking page, its code will look at the URL path/parameters to see if there is a unique identifier (i.e http://evil.com/track.php?id=xxx). If the URL does not contains a unique identifier (http://evil.com/track.php) then the tracking page uses the HTTP 301 headers to assign a unique identifier to the user (redirect to: http://evil.com/track.php?id=xxx). When the redirection occurs the browser will cache the redirect information so the next time the user connect to the tracking page the user will be redirected to the tracking page with his unique id.
I tested this technique on Firefox 5, Internet Explorer 9 , Safari and Chrome: it works on all of them except the new versions of Safari. There is a couple of interesting quirks to take into account while using this method:
If you want test by yourself a demo is available from here: http://elie.im/demo/redirect-tracking.php IF you want to play with the code you can get it from here: http://elie.im/demo/redirect-tracking.phps Thanks to Andrew Bortz: He was the first to research in a systematic way how to track user with a simple HTTP request and this technique was born from our discussion. As usual dont forget to follow me on Twitter @elie or Google+ to get the latest security news and come back every Sunday night for the security best-of the week.