B83%
Quality Score
6
Pages
160
Issues
7.4
Avg Confidence
7.5
Avg Priority
36 Critical90 High32 Medium2 Low
>_ Testers.AI
AI Analysis
eBay UK scored B (83%) with 160 issues across 7 tested pages, ranking #19 of 20 UK retail sites. That's 30 more than the 130.2 category average (5th percentile).
Top issues to fix immediately: "Multiple images with empty alt text lack meaningful descriptions" โ Provide meaningful, descriptive alt text for each image; "Missing skip navigation link prevents keyboard users from bypassing re" โ Add a skip navigation link as the first focusable element on the page; "Render-Blocking JavaScript Resources Delaying Initial Page Render" โ 1) Add 'async' or 'defer' attributes to non-critical JavaScript tags.
Weakest area โ accessibility (6/10): The page lacks clear focus indicators, alt text visibility for images is uncertain, and color contrast in some sections may be ...
Quick wins: Consolidate promotional sections to reduce visual clutter and improve focus hierarchy. Implement consistent design language across all sections with unified typography and spacing.
Qualitative Quality
eBay UK
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
ebay.co.uk
ebay.co.uk
ebay.co.uk
ebay.co.uk
ebay.co.uk
Detected Issues ยท 160 total
1
User Tracking Identifier (GUID) Exposed in Multiple Third-Party Tracking Calls
CRIT P9
Prompt to Fix
A persistent user GUID (f709100c19c0ac723dbbe239ffdea471) is being exposed in console logs and transmitted to multiple third-party tracking domains (Yahoo Analytics, Criteo, Facebook, Pinterest, Reddit). This enables cross-site user profiling and violates privacy regulations. Implement the following: (1) Remove all persistent user identifiers from console logs by sanitizing log output before browser display; (2) Migrate tracking to server-side implementations where identifiers are not visible in client-side logs; (3) Implement consent-based identifier sharing where users must opt-in before any GUID is sent to third parties; (4) Use temporary, short-lived session identifiers instead of persistent GUIDs for cross-domain tracking; (5) Add privacy impact assessment and audit third-party integrations to ensure compliance with GDPR Article 6 and consent requirements.
Why it's a bug
A persistent user identifier (guid=f709100c19c0ac723dbbe239ffdea471) is exposed in console logs across multiple third-party tracking domains including eBay ad services, Yahoo analytics, Criteo, Facebook, Reddit, and Pinterest. This GUID enables cross-site user tracking and profiling across advertising networks, violating user privacy expectations and potentially breaching GDPR/privacy regulations. The identifier is transmitted in plain text to external tracking services logged in the console.
Why it might not be a bug
GUIDs are standard for analytics, and if properly disclosed in privacy policies, some tracking may be legitimate. However, the exposure of the same identifier across competing ad networks (Facebook, Pinterest, Criteo, Reddit) in console logs indicates potential privacy violations and lack of transparency.
Suggested Fix
1) Implement a privacy-focused identifier strategy that doesn't expose persistent GUIDs in console logs or network requests. 2) Use first-party data only for essential functionality. 3) Implement proper consent mechanisms before sending identifiers to third-party trackers. 4) Sanitize console logging to prevent exposure of tracking identifiers. 5) Implement server-side tracking where identifiers are not visible in client-side logs.
Why Fix
Exposing persistent user identifiers in console logs and to multiple ad networks violates privacy principles, breaches user consent expectations, and creates regulatory risk under GDPR, CCPA, and similar laws. Users expect their tracking behavior to be limited and transparent.
Route To
Privacy Engineer / Data Protection Officer
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
[INFO] Loading the image 'https://www.ebayadservices.com/marketingtracking/v1/sync?guid=f709100c19c0ac723dbbe239ffdea471&uid='... [INFO] Loading the image 'https://sp.analytics.yahoo.com/spp.pl?a=10000&ea=Global&.yp=10106231&js=no&fmseg=-1&guid=f709100c19c0ac723dbbe239ffdea471&product_id=undefined...Network:
https://www.ebayadservices.com/marketingtracking/v1/sync?guid=f709100c19c0ac723dbbe239ffdea471&uid= | https://sp.analytics.yahoo.com/spp.pl?guid=f709100c19c0ac723dbbe239ffdea471 | https://sslwidget.criteo.com/event with ui_guid parameter2
User GUID Identifier Exposed in Third-Party Tracking URLs
CRIT P9
Prompt to Fix
You are fixing a critical privacy vulnerability in the tracking/analytics pipeline. The application is exposing persistent user GUIDs in third-party tracking pixel URLs sent to Facebook, Google, Criteo, Yahoo Analytics, Pinterest, Reddit, and Snapchat. The GUID 'f709100c19c0ac723dbbe239ffdea471' appears in multiple tracking calls. Fix this by: 1) Implement server-side analytics that anonymizes user identifiers before sending to third parties. 2) Remove or hash user GUIDs from all client-side tracking pixels and Analytics URLs. 3) For each third-party integration, check if user identifiers are necessary - if not, remove them entirely. 4) For partners that legitimately need user data, hash the identifier using a one-way function or use a temporary, session-specific token instead of persistent GUIDs. 5) Update the privacy policy to reflect actual data sharing practices. This is a GDPR/CCPA violation that must be fixed immediately.
Why it's a bug
A persistent user identifier (GUID: f709100c19c0ac723dbbe239ffdea471) is being transmitted in plain text to multiple third-party tracking services including Yahoo Analytics, Criteo, Facebook, Pinterest, Reddit, and Google. This GUID appears across multiple tracking calls and enables cross-site user profiling and identification across different platforms. This violates privacy principles and potentially GDPR/CCPA regulations as users have not explicitly consented to sharing their unique identifier with all these third parties.
Why it might not be a bug
The company may have legitimate business reasons for analytics and may argue this is part of their standard data sharing agreements, however the exposure of a consistent identifier across so many third parties without explicit per-party consent is a significant privacy violation.
Suggested Fix
1) Remove or hash the GUID before sending to third-party tracking services. 2) Implement server-side tracking that doesn't expose user identifiers to client-side tracking pixels. 3) Require explicit user consent before sharing user identifiers with any third party. 4) Use privacy-preserving alternatives like aggregated analytics without individual user tracking.
Why Fix
Exposed GUIDs enable third parties to track users across websites and build detailed behavioral profiles. This is a direct violation of user privacy expectations and data protection regulations. Users visiting ebay.co.uk are having their unique identifier shared with Facebook, Google, Criteo, Yahoo, Pinterest, Reddit, and Snapchat without visible consent.
Route To
Privacy Engineer / Data Protection Officer / Backend Engineer responsible for analytics pipeline
Page
Tester
Pete ยท Privacy Console Log AnalyzerTechnical Evidence
Console:
Loading the image 'https://ir.ebaystatic.com/cr/v/c01/06_Fitness_PopDest_1600x1600.jpg' and subsequent tracking URLs containing 'guid=f709100c19c0ac723dbbe239ffdea471'Network:
https://www.ebayadservices.com/marketingtracking/v1/sync?guid=f709100c19c0ac723dbbe239ffdea471&uid=, https://sp.analytics.yahoo.com/spp.pl?...&guid=f709100c19c0ac723dbbe239ffdea471, https://sslwidget.criteo.com/event?...&ui_guid%3Df709100c19c0ac723dbbe239ffdea471, https://www.facebook.com/tr/?...&ud[external_id]=f709100c19c0ac723dbbe239ffdea471&aud[external_id]=f709100c19c0ac723dbbe239ffdea4713
Sensitive User Identifiers and GUIDs Exposed in Tracking Pixel URLs
CRIT P9
Prompt to Fix
SECURITY ISSUE: Persistent user GUIDs (f709100c19c0ac723dbbe239ffdea471) are being logged to the browser console in tracking pixel URLs sent to third-party domains (Facebook, Criteo, Yahoo, Reddit, Pinterest, Snapchat). This exposes sensitive user identifiers to anyone with console access and enables cross-site user tracking and profiling. FIX: Implement server-side pixel tracking by creating a backend endpoint (e.g., /api/v1/tracking) that accepts minimal parameters (event_type, timestamp). Move all tracking URL construction to the server-side where identifiers can be appended securely without exposing to client console. Remove GUIDs from client-side tracking URLs. Alternatively, if client-side tracking is required, proxy all requests through a same-origin endpoint that strips and re-adds identifiers server-side. Ensure tracking URLs never appear in console logs.
Why it's a bug
Multiple tracking pixels and third-party analytics endpoints are exposing persistent user identifiers (GUIDs like 'f709100c19c0ac723dbbe239ffdea471') in plaintext URLs logged to the console. These identifiers are being transmitted to external third parties (Facebook, Criteo, Reddit, Yahoo, Pinterest, Snapchat) in GET request parameters visible in console logs. This enables tracking correlation across sites, user fingerprinting, and potential account linkage by adversaries who have access to console logs. The GUID persists across sessions and appears in multiple tracking calls, creating a stable identifier for cross-site user tracking and profiling.
Why it might not be a bug
These tracking calls may be intentional business functionality for analytics and advertising. However, the fact that sensitive identifiers are exposed in console logs (which developers and attackers with console access can easily see) represents a separate security hygiene issue regardless of intentional tracking.
Suggested Fix
1) Implement Content Security Policy (CSP) with stricter img-src and script-src directives to block non-whitelisted tracking domains entirely. 2) If tracking is necessary, use server-side pixel tracking instead of client-side to avoid exposing identifiers to console inspection. 3) Sanitize or hash sensitive identifiers before including them in tracking URLs. 4) Implement a tracking redirect/proxy endpoint that accepts minimal parameters and adds tracking IDs server-side before forwarding to third parties. 5) Use sub-domain isolation or sandboxing for tracking iframes to prevent console access from parent application context.
Why Fix
Exposing persistent user identifiers in console logs enables: (1) Cross-site user tracking by passive observers with console access, (2) User de-anonymization and profile linking across services, (3) Targeted advertising/phishing based on tracked behavioral data, (4) Account takeover if identifiers can be used for session hijacking. This violates privacy principles and increases risk surface.
Route To
Security Engineer / Privacy Engineer / Frontend Security Architect
Page
Tester
Sharon ยท Security Console Log AnalyzerTechnical Evidence
Console:
[INFO] Loading the image 'https://www.ebayadservices.com/marketingtracking/v1/sync?guid=f709100c19c0ac723dbbe239ffdea471&uid=' violates the following Content Security Policy directive... [INFO] Loading the image 'https://sp.analytics.yahoo.com/spp.pl?a=10000&...&guid=f709100c19c0ac723dbbe239ffdea471&...&opid=3411350...' [INFO] Loading the image 'https://www.facebook.com/tr/?...&ud[external_id]=f709100c19c0ac723dbbe239ffdea471&aud[external_id]=f709100c19c0ac723dbbe239ffdea471&...Network:
Multiple third-party tracking endpoints: ebayadservices.com/marketingtracking, sp.analytics.yahoo.com, facebook.com/tr, criteo.com, reddit.com, pinterest.com, snapchat.com - all receiving GUID parameter f709100c19c0ac723dbbe239ffdea471