1

I am currently sending very long PayPal url's to customers which sometimes leads to a line-break and makes it unclickable, whenever the customer can't receive HTML emails.

I am thinking of using a 3rd party application like bit.ly to shorten the paypal url and then send it to the customer. However, I am not sure if this leads to any security risk if I shorten the url instead of sending the full url.

The PayPal url contains the following information:

  • My account email
  • Item name, price, currency and quantity
  • Shipping Address of Customer
Adam
  • 147
  • 1
  • 1
  • 11
  • 1
    If you want to use shorter URL's, have a look at YOURLS. It's a tool that can shorten URL's for you using your own domain and hosting. That way, you can be sure it's safe. I use it myself too! Here's an example link I made with it. – Cas Nov 02 '16 at 11:05

2 Answers2

3

I think this is an information leak to the url shortening service, which is a third party. You would give away your own busines data (who buys what), and also your customers' private data (the fact that they bought those items).

Depending on how the shortening service works, doing this on plain http would be even worse (sharing the above stuff with pretty much anybody), but bit.ly I think works over https at least. But still it doesn't change the fact that you share this data with bit.ly.

Another aspect of it is that you may not even be legally allowed to do that unless you warn your users of what happens to their data (that it will be given to a third party, not just processed by you). Privacy regulations in for example the EU are very strict.

Gabor Lengyel
  • 1,173
  • 7
  • 11
1

This is a bad idea.

As lengyelg says, you share both your business data and your customers personal information with a third party. Even if you feel that you can trust the people who run bit.ly, do trust whoever might buy it in five year? Do you trust that they never get breached? Do all your customer also trust them?

What is even worse is that you have no guarantee that bit.ly will redirect to the actual URL you gave them. In theory they could instead redirect to a PayPal page that will direct the payments to somebody else... You have no way to gaurantee that the link you send to your customer will actually lead them where you think it will.

So what should you do instead? Create your own mini redirect service, and send the customers links on the form https://mybusiness.com/paypalredirect?id=[random id]. That page then looks up the long PayPal URL in the database and redirects to it. No third party involved, so no data is leaked.

Community
  • 1
Anders
  • 65,582
  • 24
  • 185
  • 221