URL Shortening Frenzy Comes with Security Risks

The options for shortening long URL's to a more manageable length are quickly proliferating with both Google and Facebook getting into the link shortening game. The shortened URL's are easier to send via e-mail, and they are a requirement for Twitter's 140-character limitation, but they also introduce security risks.

Filling a Need

Link shortening is a valuable service- but you must be cautious about what is behind that shortened URL.
Some URL's--particularly on sites like Amazon, Youtube, and eBay--can be exceptionally long. You have probably either sent or received an email with a very long URL link that has been broken because it carried over to the next line. Then you have to manually copy and paste the various pieces of the URL into your Web browser address bar to get to the destination. Not very convenient, to say the least.

Services like TinyURL came along to solve that problem by assigning a shorter alias URL. Using TinyURL, the URL http://www.pcworld.com/businesscenter/article/184608/report_atandt_reputation_tarnished_by_iphone_flaws.html becomes http://tinyurl.com/yae8pvp. TinyURL shrinks the 108 character URL down to a much less cumbersome 26 characters that fit nicely in e-mails and tweets.

Exploiting Trust

There are two main problems with link shortening services. First, they make it easier for attackers to distribute spam and phishing attacks because the actual destination URL is not displayed. Second, because link shortening is frequently used with social networking services like Facebook and Twitter, there is an inherent trust that the link will be legitimate.

When I receive the above link in its entirety, I can easily see that the actual destination domain is pcworld.com--especially if I am using the Internet Explorer 8 browser which highlights the true domain as a defense against spoofed sites and phishing attacks. However, the TinyURL alias tells me nothing about the destination and could lead me to a malicious Web site.

Attackers can also circumvent many security controls by using URL shortening services. The URL shortening domains are trusted by default by firewalls, Web filters, and spam blocking tools which makes it more difficult to identify and weed out links that lead to malicious destinations.

Looking Behind the Curtain

You need to have a way to determine where that shortened URL is going to lead you before you click on it, lest you find yourself the victim of some sort of drive-by download and your PC becomes part of a botnet. Thankfully, there are tools available to help out with that.

Twitter users can use tools like Tweetdeck. Tweetdeck has an option in the settings to Show preview information for short URL's. With this setting enabled, when you click on a shortened URL within a tweet, a screen will appear that displays the title of the actual destination page, as well as the full-length URL.

There are other browser plug-ins and services that perform a similar function outside of Twitter. TinyURL offers an option to enable previews. You must have cookies enabled for the TinyURL previews to work, though. ExpandMyURL and LongURLPlease both provide Web browser plug-ins or applets that you can use to uncover the full URL behind the shortened link as well.

Perhaps the best news out of the recent frenzy of URL shortening headlines is the addition of Bit.Ly Pro. With Bit.Ly Pro, companies, blogs, and other entities can sign up for custom shortened domains that enable them to use shortened URL's while maintaining a unique and secure identity.

URL shortening is a useful and convenient service that is here to stay. Just make sure you exercise some common sense and an ounce of cautious skepticism to avoid being exploited by a shortened URL.

Tony Bradley tweets as @PCSecurityNews, and can be contacted at his Facebook page .

Subscribe to the Daily Downloads Newsletter

Comments