On many social networks, it's a common practice to use shortened redirect URLs rather than linking directly to the (often much longer) original URL of a page. This is especially common when character limits are imposed, such as Twitter's 140 character maximum.
From a security standpoint, blindly clicking on redirect URLs is probably not the best idea, especially if you don't know (or don't implicitly trust) the person who shared it. In fact, even a trusted user's account could theoretically be hijacked, as happened earlier today when an XSS attack was launched against Twitter.
Thankfully, many URL shortening services offer ways of previewing the full URL before visiting it. Instructions for some of these sites follow (roughly in order of popularity). Note that I do not necessarily endorse any of the services below; this information is given for information purposes only, based on what I was able to find out by researching and testing each service.
TinyURL
Add "preview." before the "tinyurl.com" portion of the URL to see where the link will take you, e.g. you can change http://tinyurl.com/cz23u4 into http://preview.tinyurl.com/cz23u4
Better yet, you can force TinyURL to always take you to the preview link whenever you click on a tinyurl.com shortcut. If you go to http://tinyurl.com/preview.php you can set a cookie for the site that will enable this feature.
bit.ly
Just add a plus ("+") after a bit.ly URL to see where the link will take you, and also to get statistics for that shortened URL. For example, you can change http://bit.ly/2KeAT into http://bit.ly/2KeAT+ which will redirect to http://bit.ly/info/2KeAT
Alternatively, you can add "/info" after the "bit.ly" portion of the URL. For example, you can change http://bit.ly/2KeAT into http://bit.ly/info/2KeAT
is.gd
Just add a hyphen ("-") to the end of any is.gd URL to preview it, e.g. http://is.gd/rZ7U can be changed into http://is.gd/rZ7U-
Snipurl / Snipr / Snurl / St.im / Cl.lk
Add "peek." before the snipurl.com, snipr.com, snurl.com, st.im, or cl.lk part of an address to find out where the link leads, e.g. http://snipurl.com/fpyfq can be changed into http://peek.snipurl.com/fpyfq
BudURL
Simply add a question mark ("?") to the end of any BudURL shortcut to preview it, e.g. you can change http://budurl.com/gtg3 into http://budurl.com/gtg3?
short.ie
Add "/see" after the short.ie portion of a URL to preview it, e.g. you can change http://short.ie/kviytq into http://short.ie/see/kviytq (Note: You need to enable JavaScript in order to create short.ie URLs.)
kl.am
In order to preview kl.am URLs, you must go to http://kl.am (with JavaScript and cookies enabled) and click on the checkbox next to "Preview mode: OFF" to turn preview mode on. (Yes, I typed that correctly.)
Tinyarro.ws / ta.gd
Tinyarro.ws is the only major URL shortener service I know of that automatically gives you a preview. The feature can be explicitly disabled by each user, if desired; there's a "Never show a URL preview again" link on each preview page, which when clicked sets a cookie to disable previews in the future.
Other services
Unfortunately, several major services (including, as far as I can tell: cli.gs, tr.im, twurl.cc, twurl.nl, ow.ly, and adjix.com) don't offer the ability to preview the original long URL before visiting it. Personally, I'm not interested in using URL shorteners that don't offer previews. It's just nice to give people the opportunity to be able to view the full URL without having to click the link first.
If you know of any other URL shortening services that offer a preview feature, feel free to leave a comment with the details of how to change a shortened URL into a preview URL.
See also my follow-up article, LongURL: Preview Shortened URLs, No Clicking Required.
UPDATE, 3 Mar 2010: Removed defunct shortening services: poprl.com, sn.im (which has been replaced with st.im and cl.lk), and plurl.me. Also added the plus character shortcut to the bit.ly section.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posts
Another FakeAV, for Windows 7!
-
With Windows 7 becoming increasingly popular, more and more software
companies have begun to upgrade their interface for the latest Microsoft
operating sys...
18 hours ago
6 comments:
Good post. Very useful. Thank you.
Josh,
Very nice article . . . I gave a link to it from my "CyberCrime & Doing Time" article talking about Twitter and dangerous tiny URLs.
http://garwarner.blogspot.com/2009/06/fake-twitter-linkedin-and-scribd-pages.html
Great article just what I was searching for "How to preview shortened URL's" I created a tinyurl of this page see the preview here:
http://preview.tinyurl.com/oeb6yc
Well Done Josh!
Three of the most popular URL Shortners offer the "preview" feature - is.gd/xyz-, preview.tinyurl.com/xyz, and bit.ly/info/xyz. If you want to build the functionality into your website(s) so that all shortened URLs are previewed, download the javascript at http://www.URLatex.com. Then your visitors will always know what they are clicking on.
I was looking for a way to do this, and it seemed like the only option was to install the Firebox bit.ly preview add-on, which has gotten horrible user reviews. So thanks! I'm going to tweet about this right now, since eeeeeeeveryone on Twitter is using bit.ly.
Thanks for the post. Very useful.
Post a Comment