Chief Alchemist - Business Consulting For The 21st Century Via A Holistic & Intelligent Approach
Share RSS 2.0 feed for Sign up for the mailing list. Follow Chief Alchemist on Twitter. 'Like' the Chief Alchemist's page on Facebook. See what Chief Alchemist has been Q&A'ing on Quora. Chief Alchemist bookmarks & highlights on Follow the Chief Alchemist on Chief Alchemist channel on Chief Alchemist on Flickr. Mark 'Chief Alchemist' Simchock on LinkedIn. Free Initial Consultation. Email Chief Alchemist. Phone Chief Alchemist.
  • Mark ‘Chief Alchemist’ Simchock
  • 'Email me.Email => ca .at. ChiefAlchemist .dot. com
  • 'Phone me.Alchemy United => 732 997-0028
  • Free initial consultation.Free => Initial Consultation
  • Please be sure to subscribe to your communication channels of choice.
  • Click To Close => The small green (consultation), red (email) or blue (phone) icons in the top upper right.
Business Consulting For The 21st Century Via A Holistic & Intelligent Approach

I think I found a loophole in Pro

FYI => Here’s what happened…I was logged into Specifically an account that uses Pro. I was poking around looking for an easy way to get stats on specific URLs. I was thinking there might be a way to GET a URL’s stats. Something. Anything. Other then paging though or even using the built in search.I was looking for something (other than the API) that might be easier.

When I click on the Info Page+ link I noticed that it was just a link to shortened code they assigned to the Pro URL. For example, if my Pro URL was and the shortened code was 0ops123,  the link I would share is  So to get to the stats page it was simply This makes sense. Whether Pro or regular a shortened code is not repeated. That much I already knew.

Now here comes the loophole…

I can get to the stats page (e.g., even when I logged out. This means that anyone who knows someone else’s vanity URL is being done via can snag their shortened URLs stats. Granted, it’s not the end of the world. It’s just some click info. However, I’m  not so sure it should be (semi) public either.

Will not be published. Required.
Please include http://