Skip to content

I don’t like URL shorteners

Yesterday I got an SMS from Chef’s Plate, asking me to resubscribe to their delivery meal program:

Missing tasty Chefs Plate meals? Get up to 40% off your next 4 boxes and start cooking again for a fraction of the cost: To opt out reply STOP

Usually, I would have just ignored it, but then I saw the URL in the text, and my mind immediately went: “great, these dumb nuggets had a security breach, and now my phone number is with some sore loser with no other purpose than to cause grief.”

Not to mention, these promotional offers usually come from shortcode (5 or 6-digit) phone numbers. This one came from a longcode phone number. I didn’t even bother to lookup the phone number, and focused directly on that link.

curl --head
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 28 Jul 2023 05:38:42 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 246
Cache-Control: private, max-age=90
Content-Security-Policy: referrer always;
Referrer-Policy: unsafe-url
Set-Cookie: _bit=n6s5CG-2970274fbfbd00e5fa-00Y;; Expires=Wed, 24 Jan 2024 05:38:42 GMT
Via: 1.1 google

Boy, I did not expect it to be this easy. The Location exposes what the shortened URL is meant to redirect me to. The REDACTED part is my code to get 40% off. Everything else in that URL that follows after the ? is useless to me. Not to mention, it is using a Content Security Policy value that is both deprecated and incorrect. Next, it uses a harmful Referrer-Policy value (unsafe-url), which can leak information to insecure origins. Finally, it also sets a cookie that expires 6 months later. Can ya’ll just stop already?

At least the link does point to Chef’s Plate’s website, right? But it’s 2023: why are they still using URL shorteners? It’s 2023, and most devices are capable of handling concatenated SMSes. Don’t tell me: greedy corporations are trying to save money? Unbelievable. Look, I can see the reason(s) behind their use, okay, I just don’t care to agree with it. Others don’t either.