👀 Google’s Gmail tracks link clicks in e-mail messages

Ohad Avenshtein
Nov 7 · 3 min read

I have noticed something weird for a while.
When using the Gmail android app, clicking a link in an e-mail message will navigate to a google’s domain a slight moment before a redirect to the requested site.
That made me think. From an advertiser point of view, clicking on a link has way more value then a received e-mail. A common user ignores many e-mails (which some of them are spam), but a link click tells what currently he’s currently interested in.

🔍 Investigating

I logged into my Gmail account and opened some promotion email I received:

I opened “Developer Tools” on “Network” tab.
Next thing was clicking the link and what happens.
Apparently, a request was sent to https://mail.google.com/sync site. I didn’t expect to understand the request payload, but it’s clear that a relevant information is sent:

I decided to inspect the link element and found a weird attribute named data-saferedirecturl which holds the original link embedded in google.com link:

That’s odd. Probably Google use this attribute in a JavaScript code.
Next, I noticed many click event handlers on this link:

After I removed all of those event handlers — clicking on this link didn’t invoke any request to google.

🐭 Mouse tracking ?

It’s not a secret that major companies track mouse events:
https://stackoverflow.com/questions/6667544/why-does-google-1-record-my-mouse-movements
https://www.fastcompany.com/40584539/facebook-confirms-it-tracks-your-mouse-movements-on-the-screen
Basically, if a user hovers a link that’s interesting too, right ?
I attached to mouseover event handler:

and hovered the promotion link. When debugging the minified javascript code (just to look at the objects), it’s easy to understand what is the current hovered item:

Technically, Google can store this data and send it.
Google sends data to a log endpoint every few seconds and also after closing the browser. When attaching to Window.close and Load.unload events, it’s possible to close the browser and leave developer tools open (can do that or use Fiddler). That allowed me to look at the Network tab and see some calls to log endpoint:

Some of them with encoded payload:

So it’s not clear what exactly they sending \ tracking in this case.

✋ Avoid link tracking ?

Google also uses a beacon named cleardot.gif to send cookies with tracking data as mentioned here:
https://superuser.com/questions/658098/how-does-googles-cleardot-gif-track-email-recipients-with-a-generic-url
and in Google’s official docs:
https://policies.google.com/technologies/types?hl=iw

It’s almost impossible to avoid tracking completely. If you just want to keep a precious link press as a secret — copy and paste or just type the url address in another tab.

Ohad Avenshtein

Written by

Passionate Full-Stack developer who loves basketball 🏀

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade