Private Links, Public Leaks: Consequences of Frictionless User Experience on the Security and Privacy Posture of SMS-Delivered URLs

This paper investigates the security and privacy risks of SMS-delivered URLs through public SMS gateways. The study analyzes more than 322K unique URLs extracted from over 33 million messages and finds exposed personal information, weak bearer-link authentication, token enumeration issues, and client-side overfetching patterns across real services. The work shows how convenience-oriented login and access flows can expose sensitive user data when SMS links are treated as sufficient authorization.