B+89%
Quality Score
3
Pages
32
Issues
8.2
Avg Confidence
8.2
Avg Priority
18 Critical11 High3 Medium
>_ Testers.AI
AI Analysis
Taobao was tested and 32 issues were detected across the site. The most critical finding was: Sensitive device/user identifier (bd_vid) exposed in URL query parameters of Taobao growth API call. Issues span Security, A11y, Performance, Other categories. Persona feedback rated Design highest (6/10) and Accessibility lowest (4/10).
Qualitative Quality
Taobao
Category Avg
Best in Category
Pages Tested · 3 screenshots
Homepage
www.taobao.com.wow.z.tbhome.pcsem.alimama
www.taobao.com.wow.z.tbhome.pcsem.alimama
Detected Issues · 32 total
1
Sensitive device/user identifier (bd_vid) exposed in URL query parameters of Taobao growth API call
CRIT P9
Prompt to Fix
In the Taobao growth API call (GET h5/mtop.taobao.pc.growth.sem.homeconfigvo), remove the raw device/user identifier bd_vid from the URL data payload. If analytics require identification, transmit a privacy-preserving value: (a) hash the bd_vid with SHA-256 on the client and send the hash in a custom header (e.g., X-Device-Id-Hash) or in the POST body, not in the URL; or (b) use an anonymized identifier generated server-side. Ensure all logs, referer headers, and analytics pipelines do not contain the raw bd_vid. Update the backend to accept the new hashed/header field and discontinue accepting the raw bd_vid in the data parameter. Audit other URL parameters for PII-like data and scrub as needed.
Why it's a bug
bd_vid is a unique device/user identifier embedded in a URL query parameter within a cross-origin API request. URLs can be logged by servers, browsers, analytics pipelines, referer headers, and browser history, which can lead to leakage of user/device identifiers and enable tracking across sessions without explicit user consent.
Why it might not be a bug
The value is used for analytics/tracking and may be considered non-secret by design; however, exposing identifiers in URLs increases privacy risk and log exposure, which product teams typically want to minimize.
Suggested Fix
Remove the raw bd_vid from the URL; instead transmit a privacy-preserving token. Options include: (a) send a hashed version (SHA-256) of bd_vid as a URL parameter or in a custom header (e.g., X-Device-Id-Hash); (b) move device/user identifiers to the request body (POST) if the endpoint supports it, or (c) use a server-side anonymized/pseudonymized identifier. Ensure all analytics endpoints sanitize or obfuscate identifiers before logging. Update backend to accept the new hashed/header field and stop accepting the raw bd_vid in the data payload.
Why Fix
Minimizing exposure of device/user identifiers reduces privacy risk, mitigates leakage through logs, referer headers, and browser history, and helps comply with privacy best practices and regulations.
Route To
Frontend Security Engineer / Privacy Engineer / Network Security
Page
Tester
Sharon · Security Networking Analyzer
Technical Evidence
Console:
bd_vid appears in URL-encoded data payload for Taobao growth API callNetwork:
GET https://h5api.m.taobao.com/h5/mtop.taobao.pc.growth.sem.homeconfigvo/1.0/?jsv=2.7.2&appKey=12574478&t=1774516686558&sign=3c6c9fef049a3d1af849e62d68b2f6d8&v=1.0&timeout=5000&dataType=jsonp&valueType=original&jsonpIncPrefix=tbpc&ttid=1%40tbwang_mac_1.0.0%23pc&api=mtop.taobao.pc.growth.sem.homeConfigVO&type=originaljsonp&callback=mtopjsonptbpc1&data=%7B%22channelSrp%22%3A%22baiduSomama%22%2C%22bc_fl_src%22%3A%22tbsite_NOX36458%22%2C%22semFor%22%3A%22alimama%22%2C%22clk1%22%3A%22ad9c9a1bee3b2a2716e974f81193add5%22%2C%22refpid%22%3A%22mm_26632258_3504122_32538762%22%2C%22bd_vid%22%3A%2216587787475815289066%22%7D - Status: 2002
Cross-site third-party analytics tracking with persistent identifiers without clear consent
CRIT P9
Prompt to Fix
Audit all analytics network calls on the PC Sem/Alimama page. Ensure explicit user consent is collected before sending any third-party tracking data. Remove or mask persistent identifiers (clk1, refpid, upsId, bd_vid) from client requests or replace with per-session tokens stored server-side after consent. Implement a privacy toggle and ensure requests to gm.mmstat.com, log.mmstat.com, and alilog domains are gated behind consent. Provide a patch with changes to the data layer that builds requests and a governance note on data minimization.
Why it's a bug
The PC Sem/Alimama page triggers multiple requests to third-party analytics endpoints (gm.mmstat.com, log.mmstat.com, alilog/aplus) that carry persistent/tracking identifiers such as clk1, refpid, upsId, and bd_vid. These identifiers are sent to external services and can be used to profile user behavior across sites. There is no clear indication of user consent for these tracking calls in the observed network activity, increasing risk of non-consensual data sharing and cross-site profiling.
Why it might not be a bug
Analytics providers may be required for product insights; if proper consent and privacy controls are in place (e.g., explicit opt-in/out, data minimization), these calls could be legitimate. The provided trace alone does not confirm consent UI or policy disclosures.
Suggested Fix
Implement explicit user consent controls for analytics/tracking. Minimize data sent to third parties by removing or obfuscating persistent identifiers (clk1, refpid, upsId, bd_vid) from client requests, or replace with ephemeral per-session tokens stored server-side. Consider moving to first-party analytics with strict data minimization and clear opt-out. Add a privacy banner and implement a consent flag gating all non-essential tracking calls.
Why Fix
Protect user privacy, reduce cross-site profiling risk, and align with data protection expectations. Clear consent and data minimization reduce regulatory risk and improve user trust.
Route To
Privacy Engineer / Frontend Security Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Network:
GET https://gm.mmstat.com/arms.1.1 - Status: N/A; GET https://log.mmstat.com/v.gif?logtype=1&title=%E6%B7%98%E5%AE%9D&pre=&scr=800x600&_p_url=https%3A%2F%2Fwww.taobao.com%2Fwow%2Fz%2Ftbhome%2Fpcsem%2Falimama%3Frefpid%3Dmm_26632258_3504122_32538762%26keyword%3D%25E6%25B7%2598%25E5%25AE%259D%25C2%25B7%25E7%25BD%2591%26bc_fl_src%3Dtbsite_NOX36458%26channelSrp%3DbaiduSomama%26bd_vid%3D16587787475815289066%26clk1%3Dad9c9a1bee3b2a2716e974f81193add5%26upsId%3Dad9c9a1bee3b2a2716e974f81193add5&spm-cnt=tbpc.pc_sem_alimama%2Fa.0.0.44b42a892mbWDl&category=&uidaplus=&aplus&udpid=&&yunid=&&trid=0830559e17745166860261861e&asid=AQAAAADO+cRp8YtoBwAAAADJJwMziFXn4Q==&p=1&o=win10&b=chrome120&s=800x600&w=webkit&ism=pc&cache=a9cfbeb&lver=8.15.25&jsver=aplus_std&pver=0.7.12&tag=0&stag=-3&lstag=-1&_slog=0 - Status: N/A3
Potential PII/Device identifiers transmitted to logging endpoints
CRIT P9
Prompt to Fix
On all logging endpoints (e.g., log.mmstat.com/y.gif), remove or hash any user identifiers (userid, udpid, yunid) from the URL query string. If identifiers are required, implement an anonymization/tokenization scheme and restrict data collection to first-party analytics with clear consent. Provide an in-app privacy consent toggle and update the privacy policy.
Why it's a bug
The log/trace requests include parameters such as userid, udpid, and yunid in the query string to logging/analytics endpoints (e.g., log.mmstat.com/y.gif). While values may appear empty in the trace, the pattern indicates potential collection/transmission of user/device identifiers to third-party services, which could expose PII or enable cross-site tracking.
Why it might not be a bug
If these identifiers are always sanitized or never populated with actual PII in production, the issue is mitigated; however, the presence of such parameters in URLs represents a privacy exposure risk that should be mitigated regardless.
Suggested Fix
Remove sensitive identifiers from URL query strings to logging endpoints. If identifiers are required, hash or tokenize them before transmission, or use consented, privacy-preserving alternatives. Ensure a clear privacy policy and consent mechanism for logging. Prefer first-party logging and restrict cross-site data sharing.
Why Fix
Prevents leaking user/device identifiers to third-party log collectors, reducing privacy risk and regulatory exposure.
Route To
Backend/Data Privacy Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console:
Console: log.mmstat.com/y.gif?logtype=0&title=...&userid=&udpid=&yunid=... observed in network trace.Network:
GET https://log.mmstat.com/y.gif?logtype=0&title=%E6%90%9C%E7%B4%A2%E6%A1%86%E4%B8%8B%E6%8B%89%E5%8E%86%E5%8F%B2%E9%80%9A%E4%BF%A1%20iframe&pre=https%3A%2F%2Fwww.taobao.com%2F&scr=800x600&_p_url=https%3A%2F%2Fwww.taobao.com%2Fwow%2Fz%2Ftbhome%2Fdefault%2Fkissy-search-suggest-iframe&spm-cnt=0.0.0.0.158c600eD7R2Zg&category=&userid=&aplus&udpid=&&yunid=&&trid=0830559e17745166866782666e&asid=AQAAAADO+cRp38peWwAAAAC31LfyS/MemA==&p=1&o=win10&b=chrome120&s=800x600&w=webkit&ism=pc&cache=6c30a04&lver=8.15.25&jsver=aplus_std&pver=0.7.12&thw=us&aws=1&_pw=0&_ph=0&tag=0&stag=-3&lstag=-1&_slog=0