Google "ved" Parameter Versions
Google URLs contain a wealth of information. The ved
parameter often appears when a user clicks a link on a Google page, and it contains information about the link that was clicked on: position on the page, link type, time of click, and more*.
This link context information is valuable data for website owners. Many SEO (search engine optimization) enthusiasts have spent a lot of time trying to figure out what the ved
means, and it appears they have plausible explanations for most of the values inside the ved
. Check out these resources for explanations of what the values in the ved
mean:
- Kevin Jones: The information hidden inside Google’s ved parameter
- Benjamin Schulz: Google Referrer Query Strings Debunked
*It's important to note that all the interpretations of the values in the ved
are our best guesses as a community; there is no official definitions from Google and I don't have any inside insight into these.
OK, with that out of the way, let's dig into the different versions of ved
.
The Evolving ved
The ved
parameter has changed over the years. DFIR has been familiar with three versions; I've started to see a new fourth kind, with more info!
I'll go over each ved
version below, but let's start with a description of the ved
structures. The ved
starts with a number, which I'm calling the version. That version number is stripped off for the subsequent processing steps. After the version, the remainder of the value is the data about the link click (the reason we care about the ved
at all).
In versions 0-short
, 0-long
, and 2
, the data portion is a base64-encoded protobuf. Protobufs (or protocol buffers) are a Google-designed data structure used for serializing values. I won't go into a ton of detail here (I'll save that for another day), but for this post, all you need to know is a protobuf can be decoded into something that looks like a JSON object, made up of nested key-value pairs.
Version 1
is different from the others (and also quite rare); it is not encoded into a protobuf; it has the key-value pairs as a text string.
Version 0 (short)
This shorter version of version 0
is old; I'm going to refer to it as the "legacy" version from now on. It still is a base64-encoded protobuf, but it has less information in it than the current 0
ones.
Example: ved=0CFYQFjAG
This parses out to:
{
"1": 86,
"2": 22,
"6": 6
}
These pairs of values have meaning; see Version 1 below for explanations.
Version 1
I'm going to skip to version 1
next, because the data contained is the same as a legacy 0
version.
Example: ved=1t:22,r:6,i:86
From Kevin Jones' post:
- 1 is i (or link index)
- 2 is t (or link type)
- 6 is r (or result position)
- 7 is s (or start result position)
You may have noticed "7" is in the list, but not in the previous examples. Some key-value pairs are optional; "7" is one of those.
Version 0 (long)
The long variant of 0
is by far the most common ved
you'll see (at least for now?). I'm going to call this one just 0
from now on.
Example: ved=0ahUKEwjJ2433hOHnAhUCvZ4KHcsCAsMQ4dUDCAs
This data parses out to:
{
"1": 11,
"2": 60129,
"13": {
"1": {
"1": 1582232915635657, <---- timestamp!
"2": 45981194,
"3": 3405906627
}
}
}
You can do this ved
decoding yourself with CyberChef; it has both base64 and protobuf decoding functions. If you want to plug your own ved
values in, don't forget to remove the leading version number first!
This ved
has more values than previous ones. "13" has a subkey of "1", and that has three values. The first sub-key (which I will call "13.1.1") is a timestamp, and DFIR just loves timestamps! That value is thought to be approximately when the previous page loaded (the exact mechanics of the timestamp are unclear, but it is generally pretty close to that).
For explanations of what the other values mean, please look at Phill Moore's googleURLParser, Tom Anthony's ved-decoder, or use Unfurl.
Version 2
This is the new version of ved
that I have begun to see. It starts with a 2
, which is different from all previous types.
Example: ved=2ahUKEwj5wOHYmrfmAhUjuaQKHc5PBfAQFjAAegQIARAB
It is still a base64-encoded protobuf, but it's a little longer. That's because there is another key-value pair in it: "15":
{
"2": 22,
"6": 0,
"13": {
"1": {
"1": 1576397602054265, <------ still a timestamp!
"2": 599368714,
"3": 3461285360
}
},
"15": {
"1": 1,
"2": 1
}
}
I do not know what the values in "15" represent in this new version. I've seen a variety of values in 15.1 and 15.2, but all have been under 50. The "1" key-value pair has also been missing in all the version 2
examples I've found, which is interesting because in previous ved
versions it was always present.
That's the update on the ved
parameter. If you see any more examples of type 2
or new key-value pairs inside any of the versions please let me know.