I’ve been ranting about Bitly for years! The ubiquitous link shortener had an interesting “feature” – add a
+ to the end of the URl and you could see all the statistics for the link. How many clicks, referers, location of users.
I often used this feature to explore how popular companies and scammers were:
This is why we don't use bitly in our work.
*Anyone* can add a + to the end of the URl and see where your traffic has come from.
Are your users happy knowing you're leaking that data to the whole world? pic.twitter.com/lifOwP4HC8
— Terence Eden (@edent) August 5, 2019
Already nearly 200 people have fallen for this Amazon phishing attack.
Uses bitly to mask the true destination. Spread via SMS. pic.twitter.com/QaR80RU8B3
— Terence Eden (@edent) January 26, 2017
One for the click-through-rate nerds to ponder.
Mobile provider Three took 550,000 Direct Debit early.
It contacted all those affected – sending them a bitly link.
121,000 clicked on the link they were sent. pic.twitter.com/59Aaw7O4wU
— Terence Eden (@edent) April 10, 2019
— Terence Eden (@edent) September 26, 2016
And BitLy still hasn't taken them down. https://t.co/2CDRQ1fpVz
— Terence Eden (@edent) November 9, 2019
I even used it to track GCHQ’s publishing schedule.
Well, the party is now over. As of last week, Bitly closed the hole. You can only see stats for your own URls:
Hi there, Terence. We made the change last week.
— Bitly (@Bitly) February 21, 2020
I’m glad that they’ve started to take privacy seriously – although I’m slightly sad that I can’t eavesdrop on how well links are performing.
But, there’s a lesson here. Don’t use third-party intermediaries for your links. They sacrifice your privacy and your users’ privacy, for very little in return.