Onebox is breaking golden tickets

I noticed this after brief chat with beginner Monzonaut via PMs. I provided fresh ticket and she said it was already used. I knew it wasn’t used, and it was quite easy to figure out a pattern.

Somehow onebox that shows preview of monzo ticket already redirects and opening link directly doesn’t work.
When user clicks direct https://goo.gl/something url, ticket shows as valid.

It probably has big impact on tickets in Golden ticket thread, they look gone, but they are not!

To reproduce, click this: https://goo.gl/fdVbKl - this works

Below is same link, just in onebox - doesn’t work.

Thanks for the tip-off! I reported it in the in-app help yesterday too

Funnily enough, someone grabbed this ticket quite quickly after I made this post, so my example no longer works. I probably shouldn’t have link it on Golden ticket thread. Clever people!

It’s easy to set up own example, even using reply box and preview on the right.

I’ll try and take a look at it during some of my free time today. No promises though.

Got it, Discourse has tried to convert all the &s in the URL to & somewhere in the URL expanding and rendering. If anybody is better at Ruby than I am, the gem that provides oneboxing to Discourse is on GitHub and I think this section is somewhat related to the behaviour we’re seeing, even if it’s not the cause.

Nice research I’ve asked one of the Monzo Engineers if they could take a look at this…

That was done for security reasons, this decision is more explained here:

We’ve noticed that Facebook Messenger also breaks Golden Tickets.

Monzoooo, any update on fixing this problem?