Home / Industry

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Have you ever gone to socially share or email a URL and found that it was much longer than you had expected? Take the following contrived URL as an example:


In your personal experience, as in our example, you might have realized that the URL was as much about you, the client, as it was about the Web resource you were trying to access. Indeed, Internet addresses may contain a wealth of information about the identities and activities of the users visiting them. URLs often utilize query strings (i.e., key-value pairs appended to the URL path; in our example, everything after the question mark) as a means to pass session parameters and form data. While sometimes benign and necessary to render the Web page, query strings often contain tracking mechanisms, user names, email addresses, and other information that users may not wish to publicly reveal. In isolation this is not particularly problematic, but the growth of Web 2.0 platforms such as social networks and micro-blogging means such URLs are increasingly being publicly broadcast.

Andrew G. West, a Research Scientist in Verisign Labs, along with collaborator and U.S. Naval Academy professor Adam J. Aviv examined nearly 900 million user-submitted URLs to gauge the prevalence and severity of such privacy leaks. Within the corpus they found troves of personal information. Almost 55 percent of URLs have a query string, and of those, 53 percent disclose referrer data (i.e., how you got to the page) with at least 2.7 percent having more acute privacy ramifications. For example, 1.7 million email addresses were found in the data, but the most egregious incidents were the several dozen cases where query strings contained usernames and passwords for administrative and sensitive accounts in *plain-text.* The study also found that mobile devices contribute an atypically significant portion of the problem space, perhaps because small screen sizes and difficult input mechanisms prevent users from observing and manually eliminating private data.

With this as motivation, the researchers propose the development of a privacy-aware URL sanitization service named “CleanURL.” The goal of the proposal is to transform input addresses by stripping non-essential key-value pairs and/or notifying users when sensitive data is critical to proper page rendering. Such a system could be user-facing, transparently built into online platforms, and/or retroactively applied to existing links. Regardless, the goal of this research and the proposed system echoes one of Verisign: Increasing the safety and security of the Internet for corporations and individuals alike.

This research was initially published at the 8th Workshop on Web 2.0 Security and Privacy (W2SP 2014), and an expanded journal version is currently in submission.

Read the full report, On the Privacy Concerns of URL Query Strings [PDF].

By Verisign, A Global Provider of Critical Internet Infrastructure and Domain Name Registry Services

Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign


Sponsored byDNIB.com