Resynth

DuckDuckGo Still Has Issues

On the 9th of July, in 2019, a user named Tritonio reported a critical privacy issue, which was prevalent in DuckDuckGo's Android application.

On every page, the DuckDuckGo Browser was sending requests to an external (DuckDuckGo) service, containing the URL of the page. In this case, that was used for parsing the HTML of a page, and returning the favicon (the icon of the page).

This was, indeed, a problem for privacy. Despite how DuckDuckGo promised not to log this data, it was still being sent to their services, without clear warning to the user.

This was a problem. A whole year later, and after a stream of bad publicity, it was removed by DuckDuckGo.

But there's still a problem.

If you're using an older browser in DuckDuckGo, when a result is selected, the user is sent to a page which then redirects to the requested destination.

This may be problematic for privacy, as every URL you've clicked on from the search interface is then transmitted to DuckDuckGo.

This used to happen when I used Firefox, but that seems to have been stopped.

If you visit DuckDuckGo's settings, under the Privacy tab, you'll see a setting named "Redirect (when necessary)". From what I understand, if that setting is disabled, this redirection will cease to exist. Even when this setting is disabled, DuckDuckGo forces the use of their redirect mechanism.

When this redirection happens, the URL contains a few parameters. I couldn't tell you what every one means, but the entire URL looks like this:

https://duckduckgo.com/l/?kh=-1&uddg=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGhost_(Swedish_band)

As the target URL is included in the query parameters (everything after ?), the URL is sent to DuckDuckGo's servers.

If you browse to that URL, you'll receive a HTML document which looks something like this (beautified):

<html>

<head>
    <meta name='referrer' content='origin'>
</head>

<body>
    <script language='JavaScript'>
        window.parent.location.replace("https://en.wikipedia.org/wiki/Ghost_(Swedish_band)");
    </script><noscript>
        <META http-equiv='refresh' content="0;URL=https://en.wikipedia.org/wiki/Ghost_(Swedish_band)">
    </noscript>
</body>

</html>

Solution

My proposed solution would be to contain the target URL in the hash (#) instead of the query parameters, like so:

https://duckduckgo.com/l/#kh=-1&uddg=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FGhost_(Swedish_band)

With this configuration, we could then change the above HTML to something like this:

<html>

<head>
    <meta name='referrer' content='origin'>
</head>

<body>
    <script language='JavaScript'>
        const params = new URLSearchParams(location.hash);
		location.href = params.get('uddg');
    </script>
</body>

</html>

However, this may pose problems when a user doesn't use JavaScript. In that case, the old URL format could be used instead.

Aside from browsers without JavaScript & noreferrer, which seems to be a very rare occurance, this needs to be fixed.

Why do you think DuckDuckGo chose to do this?

resynth1943.article