URL shortening services such as TinyURL.com and Bit.ly are becoming trendy attack methods. We all share website links with each other through emails, blogs, social media sites, book marking websites and word of mouth and we rarely, if ever, think about the potential security risk this simple act can raise. You may not want to automatically click on the shortened URL after you read this.
What is URL Shortening?
The compacted URLs produced by services such as TinyURL.com, bit.ly, is fine, and many others are convenient and save space, but they can also be used to hide the identity of malicious sites. The idea behind URL shortening or link shortening is very simple, take a long URL and encrypt it to produce a shorter URL. This is what URL shortening services do.
Security Risks
- Allow spammers to override spam filters as domain names like TinyURL are automatically trusted.
- Prevent users from checking for suspect URLs by obfuscating the actual Web-site URL.
- Redirect users to phishing websites in order to get sensitive personal information.
- Redirect users to malicious websites, just waiting to download malware.
Fortunately, there are several ways to look behind a shortened URL to see exactly where the link will take you - before you click it! Every URL-shortening service I'm aware of offers one or more ways to preview the real destination of a shortened link.
For example, here's a typical bit.ly URL that I created. All it does is take you to the http://www.techsupp247.com/ home page, but there's no way to know that in advance - it's a blind link:
bit.ly/tsp247
So you want to see where the link really goes before you click it. It's easy: all you have to do is copy the link, paste it into the address bar of any browser window or tab, and add a plus sign to the end, like this:
bit.ly/tsp247+
Adding a plus sign to the end of any bit.ly URL brings you to a special bit.ly page that shows you information about the link, including the full, expanded URL. Using the information on that bit.ly page, you can decide whether the link is safe and worth following.
TinyURL has a similar option. But instead of adding a plus sign at the end of a link, you prepend the word preview. For example, here's a regular TinyURL link to the Windows Secrets home page:
http://tinyurl.com/TS247
Copy that link into the address bar of your browser and add the word preview:
http://preview.tinyurl.com/TS247
All the major URL-shortening services have similar ways of letting you preview what's behind their URLs.
If you're checking lots of links, it can be tedious process to manually copy, paste, and edit URLs. Several sites offer automated scripts to make things a bit easier. For example, when you encounter a suspicious short URL, you can try Longurl.org, ExpandMyURL.com, or LongURLPlease.com
Firefox users can install the bit.ly preview add-on to allow previewing of short URLs without needing to leave the page you're on. Despite the name, the add-on works for many URL-shorteners - not just bit.ly. Chrome users can also download a similar extension for that browser. There is no fully automated preview tool for Internet Explorer, although several URL-shortening apps are available in the Microsoft IE Add-ons Gallery. Just type url into the search bar.
Conclusion
URL shortening is a useful and convenient service; just make sure you exercise some common sense and an ounce of caution to avoid being exploited by a shortened URL. Many industry experts say that we shouldn’t click on active links, whether they’re in e-mail messages, IM messages, or tweets. That’s an unrealistic expectation; so just make sure to approach links with caution. If possible, use one of the preview features to check out the link first.
If you're checking lots of links, it can be tedious process to manually copy, paste, and edit URLs. Several sites offer automated scripts to make things a bit easier. For example, when you encounter a suspicious short URL, you can try Longurl.org, ExpandMyURL.com, or LongURLPlease.com
Firefox users can install the bit.ly preview add-on to allow previewing of short URLs without needing to leave the page you're on. Despite the name, the add-on works for many URL-shorteners - not just bit.ly. Chrome users can also download a similar extension for that browser. There is no fully automated preview tool for Internet Explorer, although several URL-shortening apps are available in the Microsoft IE Add-ons Gallery. Just type url into the search bar.
Conclusion
URL shortening is a useful and convenient service; just make sure you exercise some common sense and an ounce of caution to avoid being exploited by a shortened URL. Many industry experts say that we shouldn’t click on active links, whether they’re in e-mail messages, IM messages, or tweets. That’s an unrealistic expectation; so just make sure to approach links with caution. If possible, use one of the preview features to check out the link first.