November 26, 2010

Using Shortened URLs: Security Risks

URL shortening services such as and are becoming trendy attack methods. We all share website links with each other through emails, blogs, social media sites, book marking websites and word of mouth and we rarely, if ever, think about the potential security risk this simple act can raise. You may not want to automatically click on the shortened URL after you read this.

What is URL Shortening?

The compacted URLs produced by services such as,, is fine, and many others are convenient and save space, but they can also be used to hide the identity of malicious sites. The idea behind URL shortening or link shortening is very simple, take a long URL and encrypt it to produce a shorter URL. This is what URL shortening services do.

Security Risks
  • Allow spammers to override spam filters as domain names like TinyURL are automatically trusted.
  • Prevent users from checking for suspect URLs by obfuscating the actual Web-site URL.
  • Redirect users to phishing websites in order to get sensitive personal information.
  • Redirect users to malicious websites, just waiting to download malware.

Fortunately, there are several ways to look behind a shortened URL to see exactly where the link will take you - before you click it! Every URL-shortening service I'm aware of offers one or more ways to preview the real destination of a shortened link.

For example, here's a typical URL that I created. All it does is take you to the home page, but there's no way to know that in advance - it's a blind link:

So you want to see where the link really goes before you click it.  It's easy: all you have to do is copy the link, paste it into the address bar of any browser window or tab, and add a plus sign to the end, like this:

Adding a plus sign to the end of any URL brings you to a special page that shows you information about the link, including the full, expanded URL. Using the information on that page, you can decide whether the link is safe and worth following.

TinyURL has a similar option. But instead of adding a plus sign at the end of a link, you prepend the word preview. For example, here's a regular TinyURL link to the Windows Secrets home page:

Copy that link into the address bar of your browser and add the word preview:
Now the link will bring you to a preview page that displays the full, expanded URL. Like all the other major URL-shortening services, TinyURL offers an easy way (circled in green) to preview the true destination of a shortened link.
All the major URL-shortening services have similar ways of letting you preview what's behind their URLs.
If you're checking lots of links, it can be tedious process to manually copy, paste, and edit URLs. Several sites offer automated scripts to make things a bit easier. For example, when you encounter a suspicious short URL, you can try,, or

Firefox users can install the preview add-on to allow previewing of short URLs without needing to leave the page you're on. Despite the name, the add-on works for many URL-shorteners - not just Chrome users can also download a similar extension for that browser. There is no fully automated preview tool for Internet Explorer, although several URL-shortening apps are available in the Microsoft IE Add-ons Gallery. Just type url into the search bar.


URL shortening is a useful and convenient service; just make sure you exercise some common sense and an ounce of caution to avoid being exploited by a shortened URL. Many industry experts say that we shouldn’t click on active links, whether they’re in e-mail messages, IM messages, or tweets. That’s an unrealistic expectation; so just make sure to approach links with caution. If possible, use one of the preview features to check out the link first.


Is there any antivirus program which can identify this???

There is no Anti-virus to identify these links however if you click on a link and it redirects you to a phishing site and starts stealing you information, that can be detected by an Anti-virus.

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



There was an error in this gadget
Twitter Delicious Facebook Digg Stumbleupon Favorites More