About the changes to click tracking
in Revive Adserver v5.1 and v5.2
This blog post is a deep dive into the changes to the click tracking functionality of the Revive Adserver software, with the recent versions 5.1 and 5.2.
Introduction
There have been two major releases of the Revive Adserver software in recent weeks. Version 5.1 came out on January 19, 2021 and version 5.2 was released on March 16, 2021, exactly 8 weeks later. The most significant changes in these two versions have to do with the ability to count clicks on third party ad tags. In this blog post, we’ll dive deeper into what has been changed, and why.
Click tracking changes in v5.1
In the last quarter of 2020, we started receiving more and more reports that Revive Adserver’s “open redirect” capability was being abused by malicious actors. They would craft links that looked innocent or trustworthy, but ultimately redirect unsuspecting web users to pages that could only be described as spammy or even scammy.
Even though the ad server itself didn’t run any particular risk from this behavior, it could harm the reputation of the organization or individual operating the ad server.
The open redirect capability was the industry standard implementation for click counting functionality (a.k.a. click tracking), which is an essential part of any ad server. One of the most important changes in version 5.1 was the removal of the software’s ability to perform an open redirect. It was replaced by a new click tracking feature that adds a unique signature to any click link that Revive Adserver creates.
Without a valid signature, Revive Adserver v5.1 will simply refuse to redirect the person clicking the link to the manipulated destination, and instead it will just redirect to the actual destination URL as defined with the banner that was just clicked.
While working on the changes in Revive Adserver v5.1, we also evaluated the so-called ‘3rd Party Servers’ plugin that has been shipping with Revive Adserver for ages. Our evaluation confirmed that all of these third party ad servers were either no longer in business, or had changed so much in recent years that the automatic click trackers that Revive Adserver attempted to insert into third party tags, no longer worked.
That resulted in the decision to remove the 3rd Party Servers plugin from Revive Adserver starting with v5.1.
We also changed the functionality related to Revive Adserver zone invocation codes for inclusion in other ad servers. This is for the scenario where a zone invocation code (a.k.a. tag) from Revive Adserver is entered into another ad server to act as a creative there. Before v5.1 it was possible to define the tag so that it would be possible to count a click on a banner delivered through the combination of both ad servers. Both Revive Adserver and the external ad server would be able to count the click. Revive Adserver had a parameter ‘ct0’ for this. This feature also relied on the ability to perform an open redirect, and since this was being removed with v5.1, the ct0 parameter also needed to be removed.
Click tracking reworked in v5.2
After the release of v5.1 in January 2021, we started receiving messages from users, from subscribers of the Revive Adserver Hosted edition, and from customers of some of our partners like Aqua Platform, that they were disappointed that the features for integration of click counting between Revive Adserver and external ad servers was removed.
For example, a very common scenario is to take javascript tags from Google’s DCM system (primarily used by large advertisers and agencies), and to paste these into Generic HTML banners in Revive Adserver.
While the ads would display just fine, and DCM was perfectly able to count any clicks on them, Revive Adserver software v5.1 was no longer able to count such clicks.
For this use case, Revive Adserver v5.2 has a reworked ability to use the {clickurl} macro in third party ad tags, which have the characteristic that the ultimate destination URL is unknown to Revive Adserver. For this scenario, a new click URL validity setting has been created, which defines the length of time that the click link will be allowed to perform a redirect, after it has been generated by Revive Adserver. This functionality uses the recently introduced signing mechanism to protect the links from being tampered with.
The validity is expressed in seconds, and by default, it is set to 0 seconds, meaning it is disabled. Setting the value to anything higher than zero results in click links that remain functional for that length of time. It is recommended to use a relatively short validity window, for example 600 seconds (10 minutes), or at least no longer than 3600 seconds (1 hour).
If a malicious actor attempts to abuse the redirect capability of these signed and time-restricted click links, by putting them into spam mails, or by submitting them in contact forms, or any other type of scenario, this will no longer work after the validity window expires. Attempts to manipulate the timestamp in the click link won’t work either, because that will result in an invalid signature. The signatures that Revive Adserver generates for the click links are extra secure because they’re also based on a randomly generated and unique seed value that’s unknown externally, and unique to every installation of the software.
Any attempt to manipulate the click link will result in the Revive Adserver software simply not redirecting the user anywhere. As such, it is now almost impossible for threat actors to abuse the feature, at least not at scale and only within a short window of opportunity. We feel this is a reasonable compromise between functionality and security. If you don’t want to open up your ad server to redirects at all, simply leave the clickValidity setting at its default value of 0 (zero) seconds.
Additionally, the support for Revive Adserver zone invocation codes being included in other ad servers via the ct0 parameter has been reimplemented in a way that causes no open redirect. For the time being, users who want to use the ct0 parameter will need to manually insert it into invocation codes, we are considering the development of a special plugin to help with this in the future.
Bug report and fix
A few days after the release of Revive Adserver v5.2.0, we received a report about a bug that affects the click-through (a.k.a. redirect) specifically and only for the invocation code generated for email newsletter zones. The fix for this bug will be in the upcoming v5.2.1, or in v5.3 (whichever of the two is earlier). If you're affected by this bug and can't afford to wait for the fix in a future release, then you can find a quick fix (patch) on our Github project page.
