Invisible Click Tracking

Have a look at this URL linking to this post:

https://kaspars.net/blog/invisible-click-tracking​

Notice any tracking variables? Me neither! But check out the HTTP request and response in the network inspector of your browser — it is redirecting to the “same” URL:

Invisible click tracking using empty UTF8 characters

The idea is to use zero-width and space characters of UTF-8 Unicode such as U+200B, U+200C, U+200D which are invisible both in the browser address field and on page or in the HTML source.

13 Comments

  1. Flimm says:

    This is a Unicode code point that’s supported in many more encodings than just UTF-8.

  2. Mateus says:

    Could someone explain me how is it useful?

    • Kaspars says:

      This can replace query variables (such as utm_source) for click tracking purposes — everything from affiliate links to advertising campaigns.

      • Mateus says:

        But there are enougth empty chars to identify each user? And what about copy+pasted links?

        • Riskable says:

          They’re invisible so you can use as many as you like (within the limit defined by the max URL length which is huge).

  3. Andrew says:

    Well as long as there are two, you can just use combinations of N characters and get 2^N possible unique identifiers for your users.

    More generally, if there are m empty characters, you can use n of them and have m^n unique combinations.

  4. Andrew says:

    Right click and the link and “Copy Link Address” (Chrome). Then Paste it back into the address bar and you’ll see the hidden characters.

  5. Yvan says:

    As Andrew pointed, we can do the same with Safari. But interesting thing :)

  6. Cihad Turhan says:

    GET request character limit is around 2000 characters. If you have 3 invisible characters and you generally have max 200 characters for your site. That is, there are
    3^1800 = 6.6 x 10^858 combinations roughly.

    That’s huge.

  7. Kevin says:

    Safari shows the extra characters url escaped:
    http://i.imgur.com/YPz9UZK.png

  8. Neil says:

    The linked page about the characters explains

    “Do not use this character in domain names. Browsers are blacklisting it because of the potential for phishing.”

    I don’t know if this’ll apply to the query parameters at the end, but might not be a great idea to jump on this discovery just yet.

  9. Jigar says:

    a basic firefox extension for prevention https://addons.mozilla.org/en-US/firefox/addon/url-watcher/ feel free to improve it on github

Leave a Reply