Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Emarsys / Scarab trackers from URLs #43077

Closed
fmarier opened this issue Jan 1, 2025 · 2 comments · Fixed by brave/brave-core#27105
Closed

Remove Emarsys / Scarab trackers from URLs #43077

fmarier opened this issue Jan 1, 2025 · 2 comments · Fixed by brave/brave-core#27105
Assignees
@fmarier
Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/query-filter QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include
Milestone
1.75.x - Release

Comments

@fmarier
Copy link
Member

fmarier commented Jan 1, 2025

Following a link in an email, I was taken to the following page: https://www.icebreaker.com/fr-ca/mens?sc_src=email_3666939&sc_lid=351971079&sc_uid=PFS...Ca&sc_llid=2508&sc_eh=6b24421b86660dd01.

These parameters come from Emarsys Web Extend. Based on their official docs:

it looks like:

  • sc_customer is a customer ID
  • sc_eh is an email hash

The sc_ prefix stands for Scarab Cloud the original company which developed this technology before the Emarsys (2013) then SAP (2020) acquisitions.

The unsubscribe link I found in the email was: https://preferences.icebreaker.com/unsubscribe/index.html?uid=PFS...Ca&cid=4039519&llid=4634&language=ca_fr&sc_src=email_4039519&sc_lid=389204031&sc_uid=PFS...Ca&sc_llid=4634&sc_eh=6b24421b86660dd01

but it looks like the sc_-prefixed parameters are superfluous since the following works fine: https://preferences.icebreaker.com/unsubscribe/index.html?uid=PFS...Ca&cid=4039519&llid=4634&language=ca_fr

and only the user ID (uid) and the list ID (llid) are needed.

We should remove these parameters since they are designed to identify individuals:

  • sc_customer
  • sc_eh
  • sc_uid
@fmarier fmarier self-assigned this Jan 1, 2025
@github-project-automation github-project-automation bot moved this to Untriaged Backlog in Security & Privacy Jan 1, 2025
@fmarier fmarier mentioned this issue Jan 1, 2025
Merged
@fmarier fmarier added priority/P3 The next thing for us to work on. It'll ride the trains. QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality OS/Desktop labels Jan 1, 2025
@fmarier fmarier moved this from Untriaged Backlog to Pending review in Security & Privacy Jan 1, 2025
@fmarier fmarier mentioned this issue Jan 1, 2025
Merged
24 tasks
@github-project-automation github-project-automation bot moved this from Pending review to Completed in Security & Privacy Jan 3, 2025
@brave-builds brave-builds added this to the 1.75.x - Nightly milestone Jan 3, 2025
@hffvld hffvld added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Jan 16, 2025
@hffvld
Copy link
Contributor

hffvld commented Jan 16, 2025

Verified on Galaxy Z Fold 6 using version(s):

Device/OS: Galaxy Z Fold 6 / q6quew-user 14 UP1A.231005.007 release-keys
Brave build: 1.75.159
Chromium: 132.0.6834.83 (Official Build) beta (64-bit)

STEPS:

  1. Follow the STR/TP from Remove Emarsys / Scarab trackers from URLs brave-core#27105 (comment)
  2. Verify

ACTUAL RESULTS:

  • Verified that user is landed to https://brave.com/?abc=123 when navigating to https://brave.com/?abc=123&sc_customer=1&sc_eh=2&sc_uid=3
2025-01-16_11-38-27.mp4

@hffvld hffvld added QA Pass - Android ARM and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Jan 16, 2025
@MadhaviSeelam
Copy link

MadhaviSeelam commented Jan 16, 2025
edited
Loading

Verification PASSED using

Brave | 1.75.161 Chromium: 132.0.6834.83 (Official Build) beta (64-bit)
-- | --
Revision | 7e59e37e24ad33062e0f20e842236aa03f579407
OS | Windows 11 Version 24H2 (Build 26100.2894)

Reproduced the issue in 1.74.48 using the STR/testplan from brave/brave-core#27105 (comment)

sc_customer=1&sc_eh=2&sc_uid=3 parameters are shown

Image

Installed 1.75.161
launched Brave
verified brave://settings/shields show Standard settings are shown
opened https://brave.com/?abc=123&sc_customer=1&sc_eh=2&sc_uid=3 in a new tab

####Confirmed that the URL bar just shown https://brave.com/?abc=123

  • sc_customer=1&sc_eh=2&sc_uid=3 parameters are stripped
example example
Image Image

@LaurenWags LaurenWags mentioned this issue Feb 5, 2025
Closed
@hffvld hffvld mentioned this issue Feb 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
OS/Android Fixes related to Android browser functionality OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy/query-filter QA Pass - Android ARM QA Pass-Win64 QA/Yes release-notes/include
Projects
Security & Privacy
Status: Completed
Milestone
1.75.x - Release
Development

Successfully merging a pull request may close this issue.

Remove Emarsys / Scarab trackers from URLs brave/brave-core
4 participants
@fmarier @brave-builds @MadhaviSeelam @hffvld