On many social networks, it's a common practice to use shortened redirect URLs rather than linking directly to the (often much longer) original URL of a page. This is especially common when character limits are imposed, such as Twitter's 140 character maximum.
From a security standpoint, blindly clicking on redirect URLs is probably not the best idea, especially if you don't know (or don't implicitly trust) the person who shared it. In fact, even a trusted user's account could theoretically be hijacked, as happened earlier today when an XSS attack was launched against Twitter.
Thankfully, many URL shortening services offer ways of previewing the full URL before visiting it. Instructions for some of these sites follow (roughly in order of popularity). Note that I do not necessarily endorse any of the services below; this information is given for information purposes only, based on what I was able to find out by researching and testing each service.
TinyURL
Add "preview." before the "tinyurl.com" portion of the URL to see where the link will take you, e.g. you can change http://tinyurl.com/cz23u4 into http://preview.tinyurl.com/cz23u4
Better yet, you can force TinyURL to always take you to the preview link whenever you click on a tinyurl.com shortcut. If you go to http://tinyurl.com/preview.php you can set a cookie for the site that will enable this feature.
bit.ly / j.mp
Just add a plus ("+") after a bit.ly or j.mp URL to see where the link will take you, and also to get statistics for that shortened URL (bit.ly and j.mp are interchangeable). For example, you can change http://bit.ly/2KeAT into http://bit.ly/2KeAT+ which will redirect to http://bit.ly/info/2KeAT
Alternatively, you can add "/info" after the "bit.ly" or "j.mp" portion of the URL. For example, you can change http://bit.ly/2KeAT into http://bit.ly/info/2KeAT
is.gd
Just add a hyphen ("-") to the end of any is.gd URL to preview it, e.g. http://is.gd/rZ7U can be changed into http://is.gd/rZ7U-
Snipurl / Snipr / Snurl / Sn.im / St.im / Cl.lk
Add "peek." before the snipurl.com, snipr.com, snurl.com, sn.im, st.im, or cl.lk part of an address to find out where the link leads, e.g. http://snipurl.com/fpyfq can be changed into http://peek.snipurl.com/fpyfq
Tiny.cc
Just add a tilde ("~") to the end of any tiny.cc URL to preview it and get statistics for it, e.g. http://tiny.cc/d7bza can be changed into http://tiny.cc/d7bza~
BudURL
Simply add a question mark ("?") to the end of any BudURL shortcut to preview it, e.g. you can change http://budurl.com/gtg3 into http://budurl.com/gtg3?
short.ie
Add "/see" after the short.ie portion of a URL to preview it, e.g. you can change http://short.ie/kviytq into http://short.ie/see/kviytq (Note: You need to enable JavaScript in order to create short.ie URLs.)
kl.am
In order to preview kl.am URLs, you must go to http://kl.am (with JavaScript and cookies enabled) and click on the checkbox next to "Preview mode: OFF" to turn preview mode on. (Yes, I typed that correctly.)
sURL.co.uk
When you visit a sURL.co.uk short URL, you will automatically get a preview of the destination address and its status on hpHosts, Malware Domain List, and PhishTank so you can instantly see whether it's a known malware or phishing scam site. The preview cannot be disabled. This is by far the most safety-focused URL shortening service, which is no surprise since it's operated by the maintainer of hpHosts.
Tinyarro.ws / ta.gd
Tinyarro.ws is the only other URL shortener service I know of that automatically gives you a preview. The feature can be explicitly disabled by each user, if desired; there's a "Never show a URL preview again" link on each preview page, which when clicked sets a cookie to disable previews in the future.
Other services
Unfortunately, several popular services (including, as far as I can tell: cli.gs, tr.im, twurl.cc, twurl.nl, ow.ly, and adjix.com) don't offer the ability to preview the original long URL before visiting it. Personally, I'm not interested in using URL shorteners that don't offer previews. It's just nice to give people the opportunity to be able to view the full URL without having to click the link first.
If you know of any other URL shortening services that offer a preview feature, feel free to leave a comment with the details of how to change a shortened URL into a preview URL.
See also my follow-up article, LongURL: Preview Shortened URLs, No Clicking Required.
UPDATE, 3 Mar 2010: Removed defunct shortening services: poprl.com, sn.im (which has been replaced with st.im and cl.lk), and plurl.me. Also added the plus character shortcut to the bit.ly section.
UPDATE, 30 Mar 2010: Added tiny.cc and surl.co.uk.
UPDATE, 5 Apr 2010: Added j.mp and re-added sn.im.
For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.
Posts
Google pays $8.5m to settle Buzz privacy invasion suit
-
The price of a Tweetbookish Gmail mod
Google has agreed to pay $8.5 million to settle a class action lawsuit
claiming it violated the privacy of Gmail use...
13 hours ago
9 comments:
Good post. Very useful. Thank you.
Josh,
Very nice article . . . I gave a link to it from my "CyberCrime & Doing Time" article talking about Twitter and dangerous tiny URLs.
http://garwarner.blogspot.com/2009/06/fake-twitter-linkedin-and-scribd-pages.html
Great article just what I was searching for "How to preview shortened URL's" I created a tinyurl of this page see the preview here:
http://preview.tinyurl.com/oeb6yc
Well Done Josh!
Three of the most popular URL Shortners offer the "preview" feature - is.gd/xyz-, preview.tinyurl.com/xyz, and bit.ly/info/xyz. If you want to build the functionality into your website(s) so that all shortened URLs are previewed, download the javascript at http://www.URLatex.com. Then your visitors will always know what they are clicking on.
I was looking for a way to do this, and it seemed like the only option was to install the Firebox bit.ly preview add-on, which has gotten horrible user reviews. So thanks! I'm going to tweet about this right now, since eeeeeeeveryone on Twitter is using bit.ly.
Thanks for the post. Very useful.
Great article. I just linked to it to raise the awareness of my family regarding shortened URLs. Hopefully, it will help them keep from getting their Facebook accounts hacked!!!
A note on the Firefox bit.ly Preview addon- it leaks the users entire browsing activity to bit.ly. See the post on Go To Hellman.
Regarding Eric Hellman's comment above, please note that I did NOT recommend the "bit.ly preview" Firefox add-on. The directions in this article explain how to manually discover the full URL to which a bit.ly link will redirect. The browser extension that I mentioned in the follow-up article is called LongURL Mobile Expander and is maintained by a third party unrelated to bit.ly.
Post a Comment