HomeBlogDevelopment

Invisible Click Tracking

February 14, 2015 Development 13 Comments

Have a look at this URL linking to this post:

https://kaspars.net/blog/invisible-click-tracking​

Notice any tracking variables? Me neither! But check out the HTTP request and response in the network inspector of your browser — it is redirecting to the “same” URL:

Invisible click tracking using empty UTF8 characters

The idea is to use zero-width and space characters of UTF-8 Unicode such as U+200B, U+200C, U+200D which are invisible both in the browser address field and on page or in the HTML source.

Related posts:

  1. 3D DOM Element Inspector in Firefox
  2. Limit the Number of Words or Characters in WordPress Editor
  3. WordPress Dashboard UI Idea #3
  4. Add Input Field Type as CSS Class in Gravity Forms

13 Comments

  1. Flimm says:
    February 14, 2015 at 14:46

    This is a Unicode code point that’s supported in many more encodings than just UTF-8.

    Reply
  2. Mateus says:
    February 14, 2015 at 16:19

    Could someone explain me how is it useful?

    Reply
    • Kaspars says:
      February 14, 2015 at 16:28

      This can replace query variables (such as utm_source) for click tracking purposes — everything from affiliate links to advertising campaigns.

      Reply
      • Mateus says:
        February 14, 2015 at 17:00

        But there are enougth empty chars to identify each user? And what about copy+pasted links?

        Reply
        • Riskable says:
          February 14, 2015 at 20:51

          They’re invisible so you can use as many as you like (within the limit defined by the max URL length which is huge).

  3. Andrew says:
    February 14, 2015 at 17:37

    Well as long as there are two, you can just use combinations of N characters and get 2^N possible unique identifiers for your users.

    More generally, if there are m empty characters, you can use n of them and have m^n unique combinations.

    Reply
  4. Andrew says:
    February 14, 2015 at 17:42

    Right click and the link and “Copy Link Address” (Chrome). Then Paste it back into the address bar and you’ll see the hidden characters.

    Reply
  5. Yvan says:
    February 14, 2015 at 22:39

    As Andrew pointed, we can do the same with Safari. But interesting thing :)

    Reply
  6. Cihad Turhan says:
    February 14, 2015 at 23:00

    GET request character limit is around 2000 characters. If you have 3 invisible characters and you generally have max 200 characters for your site. That is, there are
    3^1800 = 6.6 x 10^858 combinations roughly.

    That’s huge.

    Reply
  7. Kevin says:
    February 14, 2015 at 23:19

    Safari shows the extra characters url escaped:
    http://i.imgur.com/YPz9UZK.png

    Reply
  8. Neil says:
    February 15, 2015 at 00:28

    The linked page about the characters explains

    “Do not use this character in domain names. Browsers are blacklisting it because of the potential for phishing.”

    I don’t know if this’ll apply to the query parameters at the end, but might not be a great idea to jump on this discovery just yet.

    Reply
  9. Jigar says:
    June 3, 2015 at 23:33

    a basic firefox extension for prevention https://addons.mozilla.org/en-US/firefox/addon/url-watcher/ feel free to improve it on github

    Reply

Leave a Reply