Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove branch.io fingerprint ID from URLs #39575

Closed
fmarier opened this issue Jul 4, 2024 · 2 comments · Fixed by brave/brave-core#24515
Closed

Remove branch.io fingerprint ID from URLs #39575

fmarier opened this issue Jul 4, 2024 · 2 comments · Fixed by brave/brave-core#24515
Assignees
@fmarier
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P4 Planned work. We expect to get to it "soon". privacy/query-filter QA Pass - Android ARM QA Pass-macOS QA/Yes release-notes/include
Milestone
1.69.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Jul 4, 2024
edited
Loading

Branch.io uses the _branch_match_id URL parameter to identify individual users. It's described in their official documentation as:

The current user's browser-fingerprint-id.

Here are some example URLs:

  • https://www.reddit.com/r/perplexity_ai/comments/1dsy4uj/i_compared_top_ai_search_engines_chatgpt/?%24deep_link=true&correlation_id=128c4378-a112-407c-a776-71a303e2681e&post_fullname=t3_1dsy4uj&post_index=0&ref=email_digest&ref_campaign=email_digest&ref_source=email&_branch_referrer=H4sIAAAAAAAAA21Q0WrDMAz8muwtaWNnTRmUMRj7DSFsNdHm2MZWaPv3U9atTwMbTnc%2BneRZJNeX3a6Q9ywd5twFjl87m18bM9h8IsD6pDAVnjhigLWE07y5GvvWmA89l8ul%2B%2FW7tChR9GYqOdCV5QbIWquyUJSqsPf1NqyfihiUzqhmkJT1IVTC4magqGFUwc0oUxZ4dNsSrYY%2Bm8ETZdiGbey7lJUac3CpFAoonCKwV743RzfY8dhi35t22I%2BuxXE8tGOPdm%2FJHI795supCpzXECIutLWz8BjyLnL0dFVlr0ShsyJakAN4nqjKnQSHugxP8X%2B1prU4%2BtOUXGXR%2FaPotyj7EyMsgb4ByBGkYpQBAAA%3D&%243p=e_as&_branch_match_id=1214926959150458150
  • https://www.reddit.com/r/todoist/comments/qbd4us/are_the_comments_in_completed_tasks_ever_deleted/?%24deep_link=true&correlation_id=52bb407f-56e1-41f6-a57b-ab3ed7ea9dab&post_fullname=t3_qbd4us&post_index=1&ref=email_digest&ref_campaign=email_digest&ref_source=email&%243p=e_as&_branch_match_id=961625680547054001

There is also a _branch_referrer parameter which appears to contain an encoding of the original URL and could be leaking more information than the Referer header.

Both are also removed by Copy clean link.
@fmarier fmarier added priority/P4 Planned work. We expect to get to it "soon". QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality OS/Desktop privacy/query-filter labels Jul 4, 2024
@fmarier fmarier self-assigned this Jul 4, 2024
@fmarier fmarier mentioned this issue Jul 4, 2024
Merged
@fmarier fmarier mentioned this issue Jul 4, 2024
Merged
24 tasks
fmarier added a commit to brave/brave-core that referenced this issue Jul 4, 2024
@fmarier
Remove branch.io fingerprint ID from URLs (fixes brave/brave-browser#…
c83f54b 
…39575)
@brave-builds brave-builds added this to the 1.69.x - Nightly milestone Jul 4, 2024
@stephendonner
Copy link

Verified PASSED using

Brave | 1.69.88 Chromium: 127.0.6533.26 (Official Build) nightly (x86_64)
-- | --
Revision | d60303973dc3604d9d348b981322a8a04dcbb86d
OS | macOS Version 11.7.10 (Build 20G1427)

Steps:

  1. installed 1.69.88
  2. launched Brave
  3. opened Developer Tools
  4. clicked on Persist logs
  5. copied and entered https://brave.com/?_branch_match_id=12345&foobar&_branch_referrer=abcdef into the URL bar
  6. pressed return

Confirmed I was navigated to https://brave.com/?foobar

Screen Shot 2024-07-08 at 2 19 55 PM

@hffvld
Copy link
Contributor

hffvld commented Aug 1, 2024

Verified on Pixel 7 using version(s):

Device/OS: Pixel 7 / panther_beta-user 15 AP31.240617.010 release-keys
Brave build: 1.69.129
Chromium: 127.0.6533.73 (Official Build) beta (64-bit)

STEPS:

  1. Follow the STR/TP from Remove branch.io fingerprint ID from URLs brave-core#24515 (comment)
  2. Verified

ACTUAL RESULTS:

  • Verified that _branch_* is removed when navigating to https://brave.com/?_branch_match_id=12345&foobar&_branch_referrer=abcdef
  • Verified that the URL bar shows https://brave.com/?foobar only
1
1

@LaurenWags LaurenWags mentioned this issue Aug 20, 2024
Closed
@kjozwiak kjozwiak mentioned this issue Aug 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P4 Planned work. We expect to get to it "soon". privacy/query-filter QA Pass - Android ARM QA Pass-macOS QA/Yes release-notes/include
Projects
Security & Privacy
Status: Completed
Milestone
1.69.x - Release
Development

Successfully merging a pull request may close this issue.

Remove branch.io fingerprint ID from URLs brave/brave-core
4 participants
@fmarier @stephendonner @brave-builds @hffvld