This Small Corner

Eric Koyanagi's tech blog. At least it's free!

Query Strings are not Secure

By Eric Koyanagi
Posted on

How to exploit a query string

Open your history and search for your email, or search for the word "email" itself. Use Chrome's "journeys" tab to help read URLs.

Personally, I see several companies that embed my email address in the query string. Hilton was even kind enough to use the simple-to-find key, "?email=xxx@xxxx.com". Convenient!

Query string exploitation is a common attack vector because it's fairly easy to acquire this data. How? There's a few ways.

Browser extensions are notorious for vacuuming up "anonymized" URL history data. Of course, that data isn't actually anonymous when it contains email addresses or other PII in query strings. Some of these extensions simply sell this data to interested buyers...leading to obvious exploits.

Sneaky malware can also listen in on all HTTP requests, and data transmitted (unencrypted) is an easy gold mine. Although unlikely, attackers could also compromise a site with malicious code, enabling them to easily read from the history and exfiltrate query string (or URL) params.

In summary, it's worth considering any data passed in a URL public. Most engineers already know this and use POST for forms...but it's surprising how careless they can still be with query strings in other contexts!

AI will make exploits like this worse

Look through your history and you'll likely see a wealth of data that might be parsed from the various URLs and query strings in your history. Paired with an email, a properly trained LLM could spit out a highly personalized scam. My address or general location could be intuited from my recent maps searches. My banking institution could be mimicked. Recent purchases analyzed.

Context clues that would be absurdly inefficient for scammers to analyze and incorporate today might be easy pickings in the future thanks to such advances. After all, the key to scamming is scale...this gives average users a certain amount of protection. Most scams aren't very well engineered or personalized, but if they hit enough inboxes? Still dangerous.

AI-tailored emails using data easily exfiltrated from query strings would be a different beast. Those campaigns would certainly be more successful. As the more computer-literate generations age, scams like this will thrive because people presume that any email with all that relevant PII is legit. The "sense" that so many have learned that helps them separate scams from legit emails will not be good enough.

There's little doubt that scammers are toying with AI tools even as I type this, so as engineers, it's important that we keep up. As a super simple start...don't give expose your users by being careless with query strings!

These exploits are fairly common

Even without AI, it's easy to exploit data extracted from query strings (via whatever vector). All it takes is one user to click on a link that contains something like an API key in the query string -- if that user happens to have a browser extension which shares that URL with a third party ("legitimately" or not), you're screwed.

It's surprising that big companies (like Hilton *cough*) are still fairly careless, but perhaps that's because corporations view data as gold. Embedding things like the user's email in a URL allows them to track even anonymous users as they navigate carefully designed sales funnels. The obsessive drive to collect, curate, and action user data sometimes overrides security concerns...especially when they are distant concerns.

Still, it's ultimately up to companies to protect the data that users volunteer.

It is fairly easy to avoid embedding this data

Email being a popular "primary key" used to track users, if you must embed it in a query string, at least obfuscate or encrypt it. You could also hash it, using the hashed string instead of the plain-text email. I mean, even base64 encoding it would be better than nothing...in fact, that used to be how Klaviyo "protected" user emails embedded into every email tracking link.

Obviously that's not a good strategy at-scale, but "it's better than nothing". Sometimes as engineers we don't have the luxury of choice and have to do the best we can given the constraints of business reality.

At the very least, it's important to think about the data you're throwing into a query string. Do your best to be paranoid with user data no matter how you use it. Don't assume that the query string is secure -- it really isn't.

Can't you just clear your history...?

Yes! Researching this reminds me to clear my history more often. Clearing your history isn't just for hiding things, it's a good security practice, too. Go figure!

Still, most average users aren't going to keep their history clean. That's like expecting every teenager to just clean their rooms. It's a nice thought, but it isn't going to happen. History is convenient and remembering to purge it is annoying.

It falls to developers and security-minded firms to do the hard work on their end. Keep your URLs clean. Don't be tempted to throw the user's email or other PII into query strings.

Fortunately, it isn't that hard to use query strings responsibly...at least if you spend the time to think about it in advance!



« Back to Article List
Written By
Eric Koyanagi

I've been a software engineer for over 15 years, working in both startups and established companies in a range of industries from manufacturing to adtech to e-commerce. Although I love making software, I also enjoy playing video games (especially with my husband) and writing articles.

Article Home | My Portfolio | My LinkedIn
© All Rights Reserved