Saturday, April 11, 2009

How to Preview Shortened URLs (TinyURL, bit.ly, is.gd, and more)

On many social networks, it's a common practice to use shortened redirect URLs rather than linking directly to the (often much longer) original URL of a page. This is especially common when character limits are imposed, such as Twitter's 140 character maximum.

From a security standpoint, blindly clicking on redirect URLs is probably not the best idea, especially if you don't know (or don't implicitly trust) the person who shared it. In fact, even a trusted user's account could theoretically be hijacked, as happened earlier today when an XSS attack was launched against Twitter.

Thankfully, many URL shortening services offer ways of previewing the full URL before visiting it. Instructions for some of these sites follow (roughly in order of popularity). Note that I do not necessarily endorse any of the services below; this information is given for information purposes only, based on what I was able to find out by researching and testing each service.

TinyURL
Add "preview." before the "tinyurl.com" portion of the URL to see where the link will take you, e.g. you can change http://tinyurl.com/cz23u4 into http://preview.tinyurl.com/cz23u4
Better yet, you can force TinyURL to always take you to the preview link whenever you click on a tinyurl.com shortcut. If you go to http://tinyurl.com/preview.php you can set a cookie for the site that will enable this feature.

Bitly.com / bit.ly / j.mp / urls.im (and Bitly Enterprise sites like amzn.to, aol.it, atmlb.com, bbc.in, bhpho.to, binged.it, bloom.bg, buff.ly, cnet.co, huff.to, lat.ms, nyr.kr, nyti.ms, on.fb.me, on.mtv.com, on.vh1.com, oreil.ly, politi.co, tcrn.ch, usat.ly, wapo.st, yhoo.it, etc.)
Just add a plus ("+") after a bit.ly URL to see where the link will take you, and also to get statistics for that shortened URL (bit.ly, bitly.com, j.mp, and urls.im are interchangeable). For example, you can change http://bit.ly/2KeAT into http://bit.ly/2KeAT+ which will redirect to http://bit.ly/info/2KeAT
Alternatively, you can add "/info" after the domain portion of the URL. For example, you can change http://bit.ly/2KeAT into http://bit.ly/info/2KeAT

Note that amzn.to links always redirect to Amazon.com, and nyti.ms links redirect to nytimes.com (The New York Times). These companies have Bitly Enterprise (formerly known as "bit.ly Pro") accounts and use the special URLs to link only to their own sites, so you can be reasonably confident about where these URLs will take you. Other Bitly Enterprise sites like oreil.ly (owned by O'Reilly Media) do not link exclusively to one specific site. All Bitly Enterprise addresses, regardless of which company is responsible for them, can be previewed the same way as regular bit.ly addresses using the methods outlined above.

goo.gl
Google's short URLs can be previewed the same way as bit.ly URLs. Just add a plus ("+") after a goo.gl URL to see where the link will take you, and also to get statistics for that shortened URL. For example, you can change http://goo.gl/1tRbb into http://goo.gl/1tRbb+ which will redirect to http://goo.gl/info/1tRbb
Alternatively, you can add "/info" after the "goo.gl" portion of the URL. For example, you can change http://goo.gl/1tRbb into http://goo.gl/info/1tRbb

is.gd
Just add a hyphen ("-") to the end of any is.gd URL to preview it, e.g. http://is.gd/rZ7U can be changed into http://is.gd/rZ7U-

Snipurl / Snipr / Snurl / Sn.im / Cl.lk
Add "peek." before the snipurl.com, snipr.com, snurl.com, sn.im, or cl.lk part of an address to find out where the link leads, e.g. http://snipurl.com/fpyfq can be changed into http://peek.snipurl.com/fpyfq

Tiny.cc
Just add a tilde ("~") to the end of any tiny.cc URL to preview it and get statistics for it, e.g. http://tiny.cc/d7bza can be changed into http://tiny.cc/d7bza~

BudURL
Simply add a question mark ("?") to the end of any BudURL shortcut to preview it, e.g. you can change http://budurl.com/gtg3 into http://budurl.com/gtg3?

Fwd4.Me
Like BudURL, just add a question mark ("?") to the end of any Fwd4.Me URL to preview it, e.g. you can change http://fwd4.me/uPV into http://fwd4.me/uPV? (Note: You need to enable JavaScript in order to create Fwd4.Me URLs.)

su.pr
StumbleUpon's URL shortener, su.pr, can be previewed similarly to bit.ly; just add a "+" after a su.pr URL to get a preview page, e.g. you can change http://su.pr/2xZo8c into http://su.pr/2xZo8c+ (Note that su.pr shortcuts put an annoying StumbleUpon bar across the top of the destination page.)

yi.tl
This service provides a preview if you add a tilde ("~") after the URL. For example, you can change http://yi.tl/B03ImN into http://yi.tl/B03ImN~ to see the long URL. As a bonus, you'll also get to see the title of the destination page and see whether the URL is in Google's phishing or malware database.

y.ahoo.it
In order to preview y.ahoo.it URLs, you must go to http://y.ahoo.it (with JavaScript and cookies enabled) and click on the checkbox next to "Show me a preview of the destination URL when viewing y.ahoo.it links".

sURL.co.uk
When you visit a sURL.co.uk short URL, you will automatically get a preview of the destination address and its status on hpHosts, Malware Domain List, and PhishTank so you can instantly see whether it's a known malware or phishing scam site. The preview cannot be disabled. This is by far the most safety-focused URL shortening service, which is no surprise since it's operated by the maintainer of hpHosts.

cli.gs
Another service that automatically gives you a preview is cli.gs. The feature can be explicitly disabled by each user, if desired; there's a "Click here to disable previews" link on each preview page, which when clicked sets a cookie to disable previews in the future.

Tinyarro.ws / ta.gd
Tinyarro.ws is the only other URL shortener service I know of that automatically gives you a preview. Again, the preview can be disabled, if desired; there's a "Never show a URL preview again" link on each preview page, which when clicked sets a cookie to disable previews in the future.

Other services
Unfortunately, several popular services (including, as far as I can tell: t.co, twurl.nl, moourl.com, ow.ly, lnkd.in, lnk.ms, wp.me, mcaf.ee, and awe.sm) don't offer the ability to preview the original long URL before visiting it. Personally, I'm not interested in using URL shorteners that don't offer previews. It's just nice to give people the opportunity to be able to view the full URL without having to click the link first. However, if someone else sends you a shortened link from another service and you want to preview it, you may still be able to do so using a third-party site. Here are a couple of sites that let you do just that:
If you know of any other URL shortening services that offer a preview feature, feel free to leave a comment with the details of how to change a shortened URL into a preview URL.

See also my follow-up article about a Firefox add-on that lets you preview full URLs automatically: LongURL: Preview Shortened URLs, No Clicking Required. (UPDATE: This add-on is no longer being developed and will not work with current versions of Firefox. The best alternative I've been able to find is unshorten.it for Firefox and Chrome.)

UPDATE, 3 Mar 2010: Removed defunct shortening services: poprl.com, sn.im (which has been replaced with st.im and cl.lk), and plurl.me. Also added the plus character shortcut to the bit.ly section. 
UPDATE, 30 Mar 2010: Added tiny.cc and surl.co.uk.
UPDATE, 5 Apr 2010: Added j.mp and re-added sn.im.
UPDATE, 30 Nov 2010: Added goo.gl due to popular demand, plus mentioned bit.ly Pro. Also added a couple sites that can be used to find out long URLs, even when the shortening service itself doesn't offer a way to preview where a link will take you.
UPDATE, 25 Jan 2011: Added info about previewing cli.gs, urls.im, su.pr, fwd4.me, tcrn.ch, and bu.tt. Added moourl.com and Twitter's own t.co to the list of shorteners that unfortunately don't offer previews. Removed mentions of defunct tr.im and twurl.cc.
UPDATE, 31 Mar 2011: Added info about previewing binged.it, on.fb.me*, y.ahoo.it, and yhoo.it. Added lnk.ms, lnkd.in, mcaf.ee, and wp.me to the list of shorteners that unfortunately don't offer previews. *Note that on.fb.me is different from fb.me, and the latter cannot be previewed as far as I can tell. However, if you see a human-readable word or name after fb.me, this will redirect to one of Facebook's so-called "vanity URLs" for a user profile or fan page; thus fb.me/facebook will redirect to facebook.com/facebook.
UPDATE, 22 May 2012: Updated link and name for URLVoid's service (now called Unshorten URL instead of Extract URL). Added yi.tl preview instructions. Added bitly.com to the Bitly section and updated the old "bit.ly Pro" name to Bitly Enterprise. Added lots of Bitly Enterprise domains: aol.it, atmlb.com, bbc.in, bhpho.to, bloom.bg, cnet.co, huff.to, lat.ms, nyr.kr, on.mtv.com, on.vh1.com, politi.co, usat.ly, and wapo.st. Mentioned awe.sm. Removed st.im, short.ie, bu.tt, and kl.am, which all appear to be defunct. Removed mention of adjix.com, which is no longer accepting new URLs but is supposed to redirect previously created URLs "indefinitely" (it never offered a preview). Added note about the LongURL Firefox extension no longer being actively developed. Replaced link to Damon Cortesi's article on the Twitter StalkDaily Worm with an archived copy since the original site appears to be down.
UPDATE, 6 May 2013: Added buff.ly to Bitly Enterprise list. Mentioned unshorten.it extensions for Chrome and Firefox.
UPDATE, 10 May 2013: Updated URLVoid unshortener link to new Toolsvoid URL.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

24 comments:

  1. Josh,

    Very nice article . . . I gave a link to it from my "CyberCrime & Doing Time" article talking about Twitter and dangerous tiny URLs.

    http://garwarner.blogspot.com/2009/06/fake-twitter-linkedin-and-scribd-pages.html

    ReplyDelete
  2. Great article just what I was searching for "How to preview shortened URL's" I created a tinyurl of this page see the preview here:

    http://preview.tinyurl.com/oeb6yc

    Well Done Josh!

    ReplyDelete
  3. Three of the most popular URL Shortners offer the "preview" feature - is.gd/xyz-, preview.tinyurl.com/xyz, and bit.ly/info/xyz. If you want to build the functionality into your website(s) so that all shortened URLs are previewed, download the javascript at http://www.URLatex.com. Then your visitors will always know what they are clicking on.

    ReplyDelete
  4. I was looking for a way to do this, and it seemed like the only option was to install the Firebox bit.ly preview add-on, which has gotten horrible user reviews. So thanks! I'm going to tweet about this right now, since eeeeeeeveryone on Twitter is using bit.ly.

    ReplyDelete
  5. Thanks for the post. Very useful.

    ReplyDelete
  6. Great article. I just linked to it to raise the awareness of my family regarding shortened URLs. Hopefully, it will help them keep from getting their Facebook accounts hacked!!!

    ReplyDelete
  7. A note on the Firefox bit.ly Preview addon- it leaks the users entire browsing activity to bit.ly. See the post on Go To Hellman.

    ReplyDelete
  8. Regarding Eric Hellman's comment above, please note that I did NOT recommend the "bit.ly preview" Firefox add-on. The directions in this article explain how to manually discover the full URL to which a bit.ly link will redirect. The browser extension that I mentioned in the follow-up article is called LongURL Mobile Expander and is maintained by a third party unrelated to bit.ly.

    ReplyDelete
  9. What about the URL shortener from Google - http://goo.gl/

    ReplyDelete
  10. Ooh - very useful info - thanks for collating it all.

    For goo.gl URLs, it seems that adding a + sign to the end of a goo.gl URL works. I've only tried this experimentally and don't know if it's official? The plus sign seemes to take you to a URL containing an extra /info/ which decodes the URL.

    So
    http://goo.gl/{characters}+

    takes you to
    http://goo.gl/info/{characters}

    ReplyDelete
  11. Adding the + to a http://goo.gl/ shortened url
    will take you to a page that decodes it.

    ReplyDelete
  12. The plus sign for bit.ly URLs is really handy to know, since I'm a Twitter addict. Thanks!

    ReplyDelete
  13. super helpful resource. i've shared it w/coworkers. i was sick of getting random shortened links in chat messages from "friends". never trusted them & now i can know for sure.

    ReplyDelete
  14. AWESOME POST!!! JUST SHARED WITH FRIENDS ON FACEBOOK AS THE FB Groups are turning into spam source by many apps.. click any link and it will spam all the groups you are subscribed to.. Was sick.. I m happy now that i found a solution..

    ReplyDelete
  15. Thanks! I seriously hate the people who invented bit.ly and tinyURL. about 99.999999999999999999999999999999% of the stuff with those shorthand URLs are just spam. They literally do the spammers' jobs for them.

    ReplyDelete
  16. For yi.tl (http://yi.tl) just add a tilde to the end '~'. It not only shows you the full link but also checks the link against Google's Malware and Phishing databases.

    Add a '+' for stats.
    Add '.qr' for the QR code.

    ReplyDelete
  17. v.gd is another shortener that enables previews by default, from the people who made is.gd

    ReplyDelete
  18. Thank you so much for this article! I used it to make another cheat sheet in Russian in my LJ (with link to you, of course).
    Another update: "URLVoid Unshorten URL" changed from http://www.urlvoid.com/tools/unshorten-url/ to http://unshortenurl.urlvoid.com/

    ReplyDelete
  19. Good reference article!

    2 points i would like to make.

    1- URL shortening is very useful to understand what web content works or not via the visit stats.

    2- Spam? IMO, The term spam can be misleading at times and often is simply used to destroy someone else genuine business. I now think of it as another kind of bullying.

    What is the actual definition of spam?
    * irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

    Now a days, companies/individuals/websites simply need to make a living and want to cash-in the profits of any product/link shown in their own web site and because of this by branding anyone else offering a product/service a spammer that this definition IMO is changing. The fact most people don't realize is, that the majority of popular websites (e.g. Facebook, twitter, WordPress, etc, etc) already have systems in place to detect, block and even replace any URL shortening advertising links with their own advertising links. e.g. I found a really good deal for a product and posted in some deals website, next the link had been updated with their own personalized link so the deals website gets commission from where i seen the offer...

    Should we next consider any website out there offering Google adverts or any other form of advertising links which have financial interested behind it (e.g. a product review or a coupon/voucher) also be considered spammers?

    Basically if you pay a website to link to your product/products/services you are no longer considered a spammer but if you don't then those web sites have the power to brand any links to your product/products/service as being spam. Believe me I hate spam but branding someone a spammer can be just another form of bullying.

    ReplyDelete
  20. Hi, gadgetsa2z:

    On your first point, I agree that using URL shorteners that can track statistics can be useful. I normally use Bitly on social networks because it's free, it's widely known and respected, it allows users to preview the URL before visiting the destination site, and it provides stats. Just because someone is using a URL shortener doesn't mean that the destination site is bad.

    You raise the question of what exactly constitutes spam. I think this is an important discussion to have, especially on a site where the term is used frequently and not always defined explicitly.

    Spam comes in many forms, to be sure. It can be one of those "I know it when I see it" sort of things, but there are some keys that can make spam easier to identify (this is not a comprehensive list by any means):

    1) For one thing, spam is unsolicited, regardless of the medium (e-mail, blog comments, etc.) and usually comes from an organization or person a) with whom the recipient has never interacted previously and/or b) which the recipients never authorized to send them advertisements.
    2) On this site when I discuss spam, I mostly talk about the misleading or downright deceptive type. This variety of spam usually attempts to either trick the recipient into clicking on a link or to reply to the message, and it often doesn't deliver what is promised or implied (in other words, it's fraudulent; a scam).
    3) Sometimes a spam-advertised link goes to a site that may be legitimate but has been hijacked by someone with malicious intent (the idea here being that the hacked site's reputation will be sacrificed, possibly instead of the spammer's domains' reputation).
    4) In nearly every case, the goal of the spam is either to make money (often by questionable means) or infect visitors' computers or devices (which in turn is typically used as a means to make money).

    You try to force a question of whether any site with advertisements may be considered a spam site. That's obviously not the case. Legitimate businesses obviously need to make money in order to be sustainable and pay their employees, and advertising is often the preferred means of making a profit so that content or services can be provided for free or at a reduced cost. Legitimate companies are required by law to include opt-out instructions in every advertisement e-mail, and those opt-out instructions have to actually work. Legitimate companies do not send the deceptive or malicious kinds of spam that I usually talk about on this site.

    As for the question of whether labeling a site as a 'spam site' is used as a form of bullying, as far as I know it's not very common. I've seen "bullying" behavior most often on community-rated reputation sites, particularly targeted towards major political or religious sites. Some people have very strong opinions about these topics, and a subset of those people seem to think it's their duty to damage the reputation of a site if they don't agree with everything that the site stands for (or that they think the site stands for).

    A different form of spam-related bullying is when certain anti-spam organizations get a little too trigger-happy, blacklisting a legitimate site or mailing list and then making it extremely difficult for the legitimate company to get removed from the list. That form of bullying happens on occasion as well, but I don't know if it's an extremely common occurrence. One would hope that the motives behind anti-spam sites would be pure, but in some cases their methods and practices may be less than ideal.

    ReplyDelete
  21. Also in reply to gadgetsa2z:

    I should add that if you spend money for "SEO services" that claim to get your site linked from a number of popular sites or those with a high Google PageRank, this most likely means that the person or group offering those services will attempt to leave spam comments on those sites. Some people may pay for links or publicity and unknowingly get their site spamvertized, which can lead to their site getting blacklisted by anti-spam organizations. The damage to your site's reputation may be irreparable and will be a very bad thing for your site. Thus you'll have effectively wasted your money and have gotten nothing positive in return.

    ReplyDelete
  22. goo.gl/shortcode+ doesn't appear to work any more. It takes you to the front page unless you're logged in, in which case you get the analytic page.

    ReplyDelete
    Replies
    1. Gold, you were correct, at least for a short period of time. A few minutes ago I verified that I was only able to access http://goo.gl/1tRbb+ whilst logged into the Google account from which I created it. However, a few minutes later (after I was ready to publish an update to this article), I was again able to visit http://goo.gl/1tRbb+ and http://goo.gl/info/1tRbb whilst not logged into any Google account. Also, the goo.gl homepage still says, "All goo.gl URLs and click analytics are public and can be accessed by anyone." You may have noticed a temporary glitch that Google has already fixed.

      Delete
  23. This one's good and has plenty of advanced options:

    http://kfc.io

    - multiple long urls
    - custom name url
    - url password
    - expiry
    - limited number of url uses
    - save to folders
    - private or public url
    - QR code
    - API

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)