Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Remove Emarsys / Scarab trackers from URLs #43077

Closed
fmarier opened this issue Jan 1, 2025 · 2 comments · Fixed by brave/brave-core#27105
Closed

Remove Emarsys / Scarab trackers from URLs #43077

fmarier opened this issue Jan 1, 2025 · 2 comments · Fixed by brave/brave-core#27105
Assignees
@fmarier
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/query-filter QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include
Milestone
1.75.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Jan 1, 2025

Following a link in an email, I was taken to the following page: https://www.icebreaker.com/fr-ca/mens?sc_src=email_3666939&sc_lid=351971079&sc_uid=PFS...Ca&sc_llid=2508&sc_eh=6b24421b86660dd01.

These parameters come from Emarsys Web Extend. Based on their official docs:

it looks like:

  • sc_customer is a customer ID
  • sc_eh is an email hash

The sc_ prefix stands for Scarab Cloud the original company which developed this technology before the Emarsys (2013) then SAP (2020) acquisitions.

The unsubscribe link I found in the email was: https://preferences.icebreaker.com/unsubscribe/index.html?uid=PFS...Ca&cid=4039519&llid=4634&language=ca_fr&sc_src=email_4039519&sc_lid=389204031&sc_uid=PFS...Ca&sc_llid=4634&sc_eh=6b24421b86660dd01

but it looks like the sc_-prefixed parameters are superfluous since the following works fine: https://preferences.icebreaker.com/unsubscribe/index.html?uid=PFS...Ca&cid=4039519&llid=4634&language=ca_fr

and only the user ID (uid) and the list ID (llid) are needed.

We should remove these parameters since they are designed to identify individuals:

  • sc_customer
  • sc_eh
  • sc_uid
@fmarier fmarier self-assigned this Jan 1, 2025
@github-project-automation github-project-automation bot moved this to Untriaged Backlog in Security & Privacy Jan 1, 2025
@fmarier fmarier mentioned this issue Jan 1, 2025
Merged
@fmarier fmarier added priority/P3 The next thing for us to work on. It'll ride the trains. QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality OS/Desktop labels Jan 1, 2025
@fmarier fmarier moved this from Untriaged Backlog to Pending review in Security & Privacy Jan 1, 2025
@fmarier fmarier mentioned this issue Jan 1, 2025
Merged
24 tasks
@github-project-automation github-project-automation bot moved this from Pending review to Completed in Security & Privacy Jan 3, 2025
@brave-builds brave-builds added this to the 1.75.x - Nightly milestone Jan 3, 2025
@hffvld hffvld added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Jan 16, 2025
@hffvld
Copy link
Contributor

hffvld commented Jan 16, 2025

Verified on Galaxy Z Fold 6 using version(s):

Device/OS: Galaxy Z Fold 6 / q6quew-user 14 UP1A.231005.007 release-keys
Brave build: 1.75.159
Chromium: 132.0.6834.83 (Official Build) beta (64-bit)

STEPS:

  1. Follow the STR/TP from Remove Emarsys / Scarab trackers from URLs brave-core#27105 (comment)
  2. Verify

ACTUAL RESULTS:

  • Verified that user is landed to https://brave.com/?abc=123 when navigating to https://brave.com/?abc=123&sc_customer=1&sc_eh=2&sc_uid=3
2025-01-16_11-38-27.mp4

@hffvld hffvld added QA Pass - Android ARM and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jan 16, 2025
@MadhaviSeelam
Copy link

MadhaviSeelam commented Jan 16, 2025
edited
Loading

Verification PASSED using

Brave | 1.75.161 Chromium: 132.0.6834.83 (Official Build) beta (64-bit)
-- | --
Revision | 7e59e37e24ad33062e0f20e842236aa03f579407
OS | Windows 11 Version 24H2 (Build 26100.2894)

Reproduced the issue in 1.74.48 using the STR/testplan from brave/brave-core#27105 (comment)

sc_customer=1&sc_eh=2&sc_uid=3 parameters are shown

Image

Installed 1.75.161
launched Brave
verified brave://settings/shields show Standard settings are shown
opened https://brave.com/?abc=123&sc_customer=1&sc_eh=2&sc_uid=3 in a new tab

####Confirmed that the URL bar just shown https://brave.com/?abc=123

  • sc_customer=1&sc_eh=2&sc_uid=3 parameters are stripped
example example
Image Image

@LaurenWags LaurenWags mentioned this issue Feb 5, 2025
Closed
@hffvld hffvld mentioned this issue Feb 6, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@fmarier fmarier

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/query-filter QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include
Projects
Security & Privacy
Status: Completed
Milestone
1.75.x - Release
Development

Successfully merging a pull request may close this issue.

Remove Emarsys / Scarab trackers from URLs brave/brave-core
4 participants
@fmarier @brave-builds @MadhaviSeelam @hffvld