NOTE: This post raised a question on whether Protonmail was doing some kind of tracking because I observed this behavior first on Protonmail, but as it turns out, it is a Safari’s “thing” (glitch? “feature”?).

New data

At the beginning, I thought I had found a very interesting way of tracking your link clicks by Protonmail, which seemed very weird, especially coming from a mail provider that’s so focused on privacy.

So after testing and testing, I stand corrected. It is not a Protonmail thing, but a Safari thing. I don’t know yet if this is a “glitch” or a “feature”, but it is quite interesting. It seems to be “propagating” the tracking redirection link of email providers (and probably other services too) to the pages that are being visited.

How I initially thought it was a Protonmail thing

In the beginning, I was doing some tests on the onboarding flow of the new dashboard of my business, when I observed this behavior. Without further data, I elucubrated the possibility of some kind of smart behavior from Protonmail, but something was not right.

I opened a link from Protonmail, then, when checking that the links on the page I had just been redirected to were alright, I noticed that “mail.protonmail.com” was appearing on the URL bar for a split second. That was veeeeeery weird, because that link was on MY website, so it could not contain any redirections from protonmail. I wondered if Protonmail had found a super clever way of mess with the links on the website, or modify the content of the page, or even alter the cache or the destination URLs.

Then I did some more tests and found out that the behavior is happening on other mail providers, most interestingly, on Google Mail too.

So what’s the deal?

The video above shows this glitch (feature?) in action on Protonmail.

So what can you see in the video? I am on Protonmail’s interface, I click on the link (to google.com/about), and get redirected to Google’s site. Then, I click on any of the links, and get redirected to the right URL, BUT, before that, you can clearly see a mail.protonmail.com middleman URL appearing on the URL bar.

The full URL is really hard to get, because it does not appear in the console, on javascript, on proxies, or anywhere, really. But I was finally able to collect it. It was something like this:

https://mail.protonmail.com/inbox/LTH4W9aMi9UeXTXtcsbE_P4q23XuUriETRQG6KVswT670I5chTTJ-x0WjD1rPprCFDU5RPOFp_TBVHr0-8W1Sg==

That ending is obviously a base64-encoded string, and there seem to be at least two parts to this parameter, separated by a “-” sign. So this looks like a protonmail tracking link of some sort.

I checked the source code of the visited page. The links have not been tainted. They still point to the right direction, so the URL replacement/Man-in-the-middle is happening internally. Or perhaps it is some kind of glitch from Safari (albeit, if this is a glitch, it is a very interesting one). I’m still investigating, but what’s scary about this is that there is no information about it anywhere. What’s already clear is: there’s some wrongful redirection going on here, and Safari is adding something to the websites that keep track of the link where the initial visit was originated. Why? I still don’t know.

Why should you care?

Browsers are complex beasts. Apple is supposedly focused on the privacy of its users. That means they probably implement some measures to detect and block tracking cookies, etc, that analyze and even modify the behavior and code of the websites.

However, this behavior is definitely unwanted. Either a glitch or a feature, this should not happen.

Work in progress

I still don’t know for sure what’s going on here. I will update this article when I found out more. After years outside of that world, my security analyst skills are definitely rusty, but I have a good old friend of mine helping out 🙂.

You can easily test this yourself by visiting Protonmail or GMail on Safari. Just send a link to any page to your email address from any other email provider, and click on this link. Then, click on any of the links of the page you just landed on. Have a look at the URL and you’ll see it visit Protonmail or Google Mail for a split second before going to the right URL.

Perhaps there is an obvious explanation I’m not seeing here, or I am a terribly mistaken paranoid guy. In that case, I’m always happy to be shown how wrong I am (please do :). If this is an anti-phishing or anti-something measure, I would expect it to be confined to the links inside the email, or at least some kind of warning when visiting the link, but this seems different to me. As the Russian saying goes, trust, but verify.

Conclusion

I always believed that in order to keep control of your data, you have no choice but to learn to manage it yourself. Still, we can’t help but use the tools we have at our disposal. There needs to be a layer of confidence somewhere, a line that can’t be crossed. Recently, while testing the new dashboard of my business, I discovered a strange behavior that may be a glitch of Safari… or something else. I initially thought it was some kind of tracking behavior from Protonmail, but I realized Safari is causing this behavior, not just on Protonmail, but on other email providers such as Google.

I will update this article as I gather more information.

❤️ Did you enjoy this article?

If you found this content useful, consider showing your appreciation by buying me a coffee using the button below 👇.

Buy me a coffee
(Visited 199 times, 1 visits today)

2 Comments

  1. Javier April 27, 2021 at 8:00 am

    Have you reached to Apple or ProtonMail about this?

    Reply
    1. nacho April 30, 2021 at 3:56 pm

      Hi Javier,
      Yes, we contacted both. Things are clear with ProtonMail now, it seems to be a Safari’s (and thus Apple’s) issue, but still no answer from them.
      Thanks for commenting!

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked *