From a security standpoint, blindly clicking on redirect URLs is probably not the best idea, especially if you don't know (or don't implicitly trust) the person who shared it. In fact, even a trusted user's account could theoretically be hijacked, as happened earlier today when an XSS attack was launched against Twitter.
Thankfully, many URL shortening services offer ways of previewing the full URL before visiting it. Instructions for some of these sites follow (roughly in order of popularity). Note that I do not necessarily endorse any of the services below; this information is given for information purposes only, based on what I was able to find out by researching and testing each service.
TinyURL
Add "preview." before the "tinyurl.com" portion of the URL to see where the link will take you, e.g. you can change http://tinyurl.com/cz23u4 into http://preview.tinyurl.com/cz23u4
Better yet, you can force TinyURL to always take you to the preview link whenever you click on a tinyurl.com shortcut. If you go to http://tinyurl.com/preview.php you can set a cookie for the site that will enable this feature.
bit.ly / j.mp / urls.im (and bit.ly Pro sites like amzn.to, binged.it, nyti.ms, on.fb.me, oreil.ly, tcrn.ch, yhoo.it, etc.)
Just add a plus ("+") after a bit.ly or j.mp URL to see where the link will take you, and also to get statistics for that shortened URL (bit.ly and j.mp are interchangeable). For example, you can change http://bit.ly/2KeAT into http://bit.ly/2KeAT+ which will redirect to http://bit.ly/info/2KeAT
Alternatively, you can add "/info" after the "bit.ly" or "j.mp" portion of the URL. For example, you can change http://bit.ly/2KeAT into http://bit.ly/info/2KeAT
Note that amzn.to links always redirect to Amazon.com, and nyti.ms links redirect to nytimes.com (The New York Times). These companies have "bit.ly Pro" accounts and use the special URLs to link only to their own sites, so you can be reasonably confident about where these URLs will take you. Other bit.ly Pro sites like oreil.ly (owned by O'Reilly Media) do not link exclusively to one specific site. All bit.ly Pro addresses, regardless of which company is responsible for them, can be previewed the same way as regular bit.ly or j.mp addresses using the methods outlined above.
goo.gl
Google's short URLs can be previewed the same way as bit.ly URLs. Just add a plus ("+") after a goo.gl URL to see where the link will take you, and also to get statistics for that shortened URL. For example, you can change http://goo.gl/1tRbb into http://goo.gl/1tRbb+ which will redirect to http://goo.gl/info/1tRbb
Alternatively, you can add "/info" after the "goo.gl" portion of the URL. For example, you can change http://goo.gl/1tRbb into http://goo.gl/info/1tRbb
is.gd
Just add a hyphen ("-") to the end of any is.gd URL to preview it, e.g. http://is.gd/rZ7U can be changed into http://is.gd/rZ7U-
Snipurl / Snipr / Snurl / Sn.im / St.im / Cl.lk
Add "peek." before the snipurl.com, snipr.com, snurl.com, sn.im, st.im, or cl.lk part of an address to find out where the link leads, e.g. http://snipurl.com/fpyfq can be changed into http://peek.snipurl.com/fpyfq
Tiny.cc
Just add a tilde ("~") to the end of any tiny.cc URL to preview it and get statistics for it, e.g. http://tiny.cc/d7bza can be changed into http://tiny.cc/d7bza~
BudURL
Simply add a question mark ("?") to the end of any BudURL shortcut to preview it, e.g. you can change http://budurl.com/gtg3 into http://budurl.com/gtg3?
Fwd4.Me
Like BudURL, just add a question mark ("?") to the end of any Fwd4.Me URL to preview it, e.g. you can change http://fwd4.me/uPV into http://fwd4.me/uPV? (Note: You need to enable JavaScript in order to create Fwd4.Me URLs.)
short.ie
Add "/see" after the short.ie portion of a URL to preview it, e.g. you can change http://short.ie/kviytq into http://short.ie/see/kviytq (Note: You need to enable JavaScript in order to create short.ie URLs.)
su.pr
StumbleUpon's URL shortener, su.pr, can be previewed similarly to bit.ly; just add a "+" after a su.pr URL to get a preview page, e.g. you can change http://su.pr/2xZo8c into http://su.pr/2xZo8c+ (Note that su.pr shortcuts put an annoying StumbleUpon bar across the top of the destination page.)
bu.tt
No, I'm not making this up— bu.tt is a real URL shortener. Like bit.ly, add a "+" after a bu.tt URL to preview it, e.g. you can change http://bu.tt/e9b into http://bu.tt/e9b+
y.ahoo.it
In order to preview y.ahoo.it URLs, you must go to http://y.ahoo.it (with JavaScript and cookies enabled) and click on the checkbox next to "Show me a preview of the destination URL when viewing y.ahoo.it links".
kl.am
In order to preview kl.am URLs, you must go to http://kl.am (with JavaScript and cookies enabled) and click on the checkbox next to "Preview mode: OFF" to turn preview mode on. (Yes, I typed that correctly.)
sURL.co.uk
When you visit a sURL.co.uk short URL, you will automatically get a preview of the destination address and its status on hpHosts, Malware Domain List, and PhishTank so you can instantly see whether it's a known malware or phishing scam site. The preview cannot be disabled. This is by far the most safety-focused URL shortening service, which is no surprise since it's operated by the maintainer of hpHosts.
cli.gs
Another service that automatically gives you a preview is cli.gs. The feature can be explicitly disabled by each user, if desired; there's a "Click here to disable previews" link on each preview page, which when clicked sets a cookie to disable previews in the future.
Tinyarro.ws / ta.gd
Tinyarro.ws is the only other URL shortener service I know of that automatically gives you a preview. Again, the preview can be disabled, if desired; there's a "Never show a URL preview again" link on each preview page, which when clicked sets a cookie to disable previews in the future.
Other services
Unfortunately, several popular services (including, as far as I can tell: t.co, twurl.nl, moourl.com, ow.ly, lnkd.in, lnk.ms, wp.me, mcaf.ee, and adjix.com) don't offer the ability to preview the original long URL before visiting it. Personally, I'm not interested in using URL shorteners that don't offer previews. It's just nice to give people the opportunity to be able to view the full URL without having to click the link first. However, if someone else sends you a shortened link from another service and you want to preview it, you may still be able to do so using a third-party site. Here are a couple of sites that let you do just that:
- URLVoid Extract URL - Works with almost any site
- LongURL Expand URL - Works with hundreds of popular sites
If you know of any other URL shortening services that offer a preview feature, feel free to leave a comment with the details of how to change a shortened URL into a preview URL.
See also my follow-up article about a Firefox add-on that lets you preview full URLs automatically: LongURL: Preview Shortened URLs, No Clicking Required.
UPDATE, 3 Mar 2010: Removed defunct shortening services: poprl.com, sn.im (which has been replaced with st.im and cl.lk), and plurl.me. Also added the plus character shortcut to the bit.ly section.
UPDATE, 30 Mar 2010: Added tiny.cc and surl.co.uk.
UPDATE, 5 Apr 2010: Added j.mp and re-added sn.im.
UPDATE, 30 Nov 2010: Added goo.gl due to popular demand, plus mentioned bit.ly Pro. Also added a couple sites that can be used to find out long URLs, even when the shortening service itself doesn't offer a way to preview where a link will take you.
UPDATE, 25 Jan 2011: Added info about previewing cli.gs, urls.im, su.pr, fwd4.me, tcrn.ch, and bu.tt. Added moourl.com and Twitter's own t.co to the list of shorteners that unfortunately don't offer previews. Removed mentions of defunct tr.im and twurl.cc.
UPDATE, 31 Mar 2011: Added info about previewing binged.it, on.fb.me*, y.ahoo.it, and yhoo.it. Added lnk.ms, lnkd.in, mcaf.ee, and wp.me to the list of shorteners that unfortunately don't offer previews. *Note that on.fb.me is different from fb.me, and the latter cannot be previewed as far as I can tell. However, if you see a human-readable word or name after fb.me, this will redirect to one of Facebook's so-called "vanity URLs" for a user profile or fan page; thus fb.me/facebook will redirect to facebook.com/facebook.
For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.
Posts
15 comments: