Network News

X My Profile
View More Activity

Unshrinking Shortened Web Links

Social networking Web sites are contributing to an explosion in the number of services that help people convert long URLs into tiny Web links. URL shrinking services are especially useful on sites that place a premium on brevity -- such as Twitter, which limits tweets to 140 characters. But few online communities have made it easy for users to tell where the shortened links will take them, a reality that could be advantageous to phishers and other cyber crooks.

When I first began researching this subject, I was amazed to learn how many URL shortening services are available today (at least 90). Also, the lack of a built-in or standardized approach to URL shortening services within individual social networking sites adds complexity to the problem.

For example, many Twitter users shorten long Web links with bit.ly, but Twitter users are just as likely to see Tweets with links shortened by the services at ow.ly and tr.im. What's more, while bit.ly offers a Firefox add-on that lets users of that browser view at least a portion of the longer URL, I couldn't find any such offering or other easy way to view the long version of links at either ow.ly or tr.im.

As I continued to review the different URL shortening services available, I found that while many let their own users preview shortened links, many others don't provide that option at all. There are several sites that you can use to view a long URL by cutting and pasting a shortened link -- such as longurl.org.

The following are the more popular and versatile options, as well as a few approaches that work across multiple services and platforms.

TinyURL, which is among the longest-running URL shortening services, lets you automatically enable the preview of all shortened URLs. Just visit this page and click the "Enable Previews" link, and from then on TinyURLs will be converted into their longer form when you visit a Web page that features them. You must have cookies enabled in your browser for this setting to take, and you will need to set the cookie for each browser you use.

If you browse the Web with Firefox, I recommend an add-on called Long URL Please, which currently converts URLs shortened by 72 different services, including bit.ly, cli.gs, digg.com, is.gd, kl.am, ow.ly, tr.im, and tinyurl.com.

Long URL Please also works in Internet Explorer and other browsers: Simply add this bookmarklet to your bookmarks, and then click on it when you're at a page that includes shortened URLs to display the long URL.

Firefox users who are familiar with the Greasemonkey add-on may prefer the Tiny URL Decoder script (my preference), which also works with a long list of URL shortening services.

Expandmyurl.com is another bookmarklet approach that works across browsers.

Not everyone thinks short URLs are that big of a security threat. Johannes Ullrich, chief technology officer with the SANS Internet Storm Center, said he thinks I'm giving readers a false sense of security by recommending these lengthening services.

"Even without shortening the URL... do you actually know what you click on? What will be at that domain?" he asked in an instant message to Security Fix. "The real problem is that you will never know where you end up."

Ullrich is right, of course: Just because you know or think you know a Web site is secure doesn't mean it is free of hostile content. Still, call me old-fashioned, but I've grown accustomed to being able to see where I'm going by mousing over a link before clicking it.

What do you think, dear readers? Did I leave out any important services? Please sound off in the comments below.

By Brian Krebs  |  June 9, 2009; 6:50 AM ET
Categories:  Latest Warnings , Safety Tips  | Tags: lengtheners, url shorteners  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: T-Mobile Investigating Data Breach Claims
Next: The Fallout from the 3FN Takedown

Comments

Yes, these are very dangerous, and at the least can inadvertently have you going to some NSFW site from friends. Much less when they come from some less than credible source.

Probably some celebrity will do this kind of thing and get seriously flamed for it at some point soon.

Posted by: timscanlon | June 9, 2009 7:19 AM | Report abuse

Agreed 100% about the dangers in tiny URLs. There's a great "link preview" tool for Firefox called InterClue that displays the link's page and much more data about the link, and has other options:

http://interclue.com/

Posted by: axialinfo | June 9, 2009 9:15 AM | Report abuse

Brian, I've had very good experience with TinyURL's service, which I use mainly when posting URLs in epost messages, on help sites, etc, as longer ones can be problematic in this context. In situations in which other participants can be expected to know who I am (I always use my own name rather than a pseudonym when I post), I use the shorter version ; in other situations, I use the preview version....

Henri

Posted by: mhenriday | June 9, 2009 12:13 PM | Report abuse

I have two thoughts on this:
1 – Shortened URLs are akin to hyperlinks. The average user will not inspect the actual URL of a hyperlink, unless there is a reason to do so. If a friend sends a link that says “click here”, there is really no difference in that friend sending “tinyurl.com/s0me-str1ng. If you look at it that way, then the security threat is equal to hyperlinks.

2 – Even if the security threat is equal to hyperlinks, you can mitigate this with a properly configured web filter. If you block access to “unsafe” URL shorteners – URL shorteners that redirect to a site without needing to have your browser make a new request, something like a proxy might do – then you would not be able to get the long URL for that site. If a URL shortener is “safe” then the long URL will still make your browser request the long URL. If that long URL is against policy, then the web filter should block this.

IMHO - if you use a policy of “what is needed to be productive at work” then businesses would be (largely) insulated from this threat. Of course, most home users don’t follow the same advice, so they are more vulnerable to phishing/malware scams.

Tim

Posted by: tcronin-astaro | June 9, 2009 12:22 PM | Report abuse

note that twitter automatically shortens URLs longer than 40 characters, using bitly (until recently they used tinyurl). it seems like this might help to make twitter a good target for an attack in which accounts are hijacked in order to steer followers of the account towards a malicious site.

Posted by: user4733 | June 9, 2009 3:25 PM | Report abuse

Personally, I am intimidated by the "cloaking" effect of a shortened URL when I run across one. Yet I think the SANS officer is completely correct in his assessment that knowing the full URL you are visiting doesn't protect you from anything if you haven't already taken other measures to secure your PC. So, is there any value in seeing the full URL aside from some sort of psychological pacifier?

I think that depends on the audience. For the non-technical user, I don't think it matters one bit. However, for the power user or the IT pro, I think it makes a substantial difference. First off, not all bad actors on the Internet are talented professionals. All hostile forces have to go through their own larval stages as well, making thier bones off the ignorant or the oblivious. Blindly clicking into a shortened URL makes you one of the oblivious.

Secondly, the first step in analyzing and solving problems is gathering information. If you do run into problems and then find yourself trying to decode the shortened URL after the fact, you are already working from a disadvantage.

So ultimately it's a question of being fully informed, which is not a security technique but is part of a secure mentality.

Posted by: conspirator5 | June 9, 2009 4:07 PM | Report abuse

Well spoken, conspirator. I think you nailed it.

Posted by: BTKrebs | June 9, 2009 4:21 PM | Report abuse

There is at least one service that creates safe short URLs. I have created Safe.mn (http://safe.mn) to address the two main criticisms to URL shorteners: security and transparency. All links are thoroughly verified for viruses, malware, phishing, malicious content, session stealing, cross-site scripting attacks, etc. Any suspicious link gets flagged, and users are warned about it. Safe.mn is also the most transparent URL shortener service: all links generated by Safe.mn are publicly available, and updated regularly.

Posted by: jusob | June 10, 2009 12:00 AM | Report abuse

"[...]do you actually know what you click on?[...]" Safe.mn (http://safe.mn/) was created to address this issue. All links are thoroughly verified for viruses, malware, phishing, malicious content, session stealing, cross-site scripting attacks, etc. So users should have to worry when they click on a short link starting with http://safe.mn/

Posted by: jusob | June 10, 2009 12:12 AM | Report abuse

Brian:

I did a post on this a while back, too:

http://bjkeefe.blogspot.com/2009/05/previewing-shortened-urls.html

Some tips there that you didn't touch on. Perhaps the most useful two: you can append a hyphen to an is.gd address to go to a preview page for that link, and you can prepend "preview." to a TinyURL address for the same effect.

I tried the bit.ly add-on for Firefox. It worked well enough for some services, but I decided to uninstall it. As some of your other commenters have already noted, it's hard to be sure about any unknown URL, shortened or not. Basically, you're relying more on your faith in the person offering the link than anything else. (Along with your anti-malware software, etc.)

Posted by: bjkeefe | June 10, 2009 1:01 AM | Report abuse

Really good one, BK. Excellent research! Thanks very much for this. Cheers.

Posted by: Rixstep | June 16, 2009 6:25 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company