Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wow that’s scary. Is there a way to share a video without that?


It appears to just be an HTTP 301 redirect, so you could use something like curl to unroll it:

  curl -I https://www.tiktok.com/t/ZTRmqkW4N
produces:

  HTTP/2 301 
  server: nginx
  content-type: text/html; charset=utf-8
  location: https://www.tiktok.com/@spencer.sebastian.yang/video/7149578560230034734?_t=8W9Y6CPjvbf&_r=1
Trim off the GET params (the bit after the ? in the URL) and you get <https://www.tiktok.com/@spencer.sebastian.yang/video/7149578...>. That appears to load in a browser for me.

I did check to see if that resulting URL after the first redirect is also a redirect. It is not, but also returned an HTTP 403 response ('Forbidden'), when submitted without cookies that had been added.


When you run that curl command, TikTok already knows your IP, which is a very valuable piece of information. Unless you maintain a server that has its own IP and does nothing except de-personalizing TikTok links, and always visit the tracking-free URL from another computer with a different IP, something like that. While it is possible, I am pretty sure most people, including most people here, don't want to do that.


Sounds like a new SaaS to remove TikTok tracking. Some way to redirect any TikTok link w/o the tracking. You could then do the most SV thing to offer it for free and store the same tracking info yourself and/or deliver ads from your accounts


That's an excellent point.

On the other hand, I don't think most people consider a public IP address to be private or protected information. If you're interested in finding the "root" content URL, which lives on a TikTok domain, then you've already implicitly signaled that you accept them knowing your public IP address.


Of course nobody could consider an IP address private information, similar to how a license plate can be read by everyone wherever you go.

But that doesn't mean it's not protected by privacy legislation. Your plate or IP isn't secret, but tracking everywhere it goes still impacts privacy.


Maybe use a proxy/private frontend? Proxitok.

https://github.com/pablouser1/ProxiTok


Download the video and send it the old-fashioned way, is really the only option.


You can disable the link tracking thing in settings, bit buried but settings > privacy > suggest your account to others > people who open or send links to you


The fact that they let you disable it is a miracle


The miracle would be that disabling suggesting your account (as an account to follow) would disable the tracking. And I don't believe in miracles :p


Even then, you can never be certain that a service isn't providing you with a URL for something that is unique to you. For example, if HN wanted to go evil there's no reason it couldn't hand out a unique URL to every single visitor for every single page visited and invisibly map them to the appropriate resource on the backend. And they could even perform a redirect to a different unique URL each time one was loaded to reduce overlap between different parties (since most people wouldn't bother to counteract the redirect when resharing something).

And it's not even resource intensive to do something like this. It can all be done in a purely stateless manner by concatenating an internal ID with a counter and encrypting it to derive the URL that gets served to the user.

The moral of the story is, you should really download and share things yourself.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: