Saturday, April 11, 2009

How to Preview Shortened URLs (TinyURL,,, and more)

On many social networks, it's a common practice to use shortened redirect URLs rather than linking directly to the (often much longer) original URL of a page. This is especially common when character limits are imposed, such as Twitter's 140 character maximum.

From a security standpoint, blindly clicking on redirect URLs is probably not the best idea, especially if you don't know (or don't implicitly trust) the person who shared it. In fact, even a trusted user's account could theoretically be hijacked, as happened earlier today when an XSS attack was launched against Twitter.

Thankfully, many URL shortening services offer ways of previewing the full URL before visiting it. Instructions for some of these sites follow (roughly in order of popularity). Note that I do not necessarily endorse any of the services below; this information is given for information purposes only, based on what I was able to find out by researching and testing each service.

Add "preview." before the "" portion of the URL to see where the link will take you, e.g. you can change into
Better yet, you can force TinyURL to always take you to the preview link whenever you click on a shortcut. If you go to you can set a cookie for the site that will enable this feature. / / / (and Bitly Enterprise sites like,,,,,,,,,,,,,,,,,,,,,, etc.)
Just add a plus ("+") after a URL to see where the link will take you, and also to get statistics for that shortened URL (,,, and are interchangeable). For example, you can change into which will redirect to
Alternatively, you can add "/info" after the domain portion of the URL. For example, you can change into

Note that links always redirect to, and links redirect to (The New York Times). These companies have Bitly Enterprise (formerly known as " Pro") accounts and use the special URLs to link only to their own sites, so you can be reasonably confident about where these URLs will take you. Other Bitly Enterprise sites like (owned by O'Reilly Media) do not link exclusively to one specific site. All Bitly Enterprise addresses, regardless of which company is responsible for them, can be previewed the same way as regular addresses using the methods outlined above.
Google's short URLs can be previewed the same way as URLs. Just add a plus ("+") after a URL to see where the link will take you, and also to get statistics for that shortened URL. For example, you can change into which will redirect to
Alternatively, you can add "/info" after the "" portion of the URL. For example, you can change into
Just add a hyphen ("-") to the end of any URL to preview it, e.g. can be changed into

Snipurl / Snipr / Snurl / /
Add "peek." before the,,,, or part of an address to find out where the link leads, e.g. can be changed into
Just add a tilde ("~") to the end of any URL to preview it and get statistics for it, e.g. can be changed into

Simply add a question mark ("?") to the end of any BudURL shortcut to preview it, e.g. you can change into

Like BudURL, just add a question mark ("?") to the end of any Fwd4.Me URL to preview it, e.g. you can change into (Note: You need to enable JavaScript in order to create Fwd4.Me URLs.)
StumbleUpon's URL shortener,, can be previewed similarly to; just add a "+" after a URL to get a preview page, e.g. you can change into (Note that shortcuts put an annoying StumbleUpon bar across the top of the destination page.)
This service provides a preview if you add a tilde ("~") after the URL. For example, you can change into to see the long URL. As a bonus, you'll also get to see the title of the destination page and see whether the URL is in Google's phishing or malware database.
In order to preview URLs, you must go to (with JavaScript and cookies enabled) and click on the checkbox next to "Show me a preview of the destination URL when viewing links".
When you visit a short URL, you will automatically get a preview of the destination address and its status on hpHosts, Malware Domain List, and PhishTank so you can instantly see whether it's a known malware or phishing scam site. The preview cannot be disabled. This is by far the most safety-focused URL shortening service, which is no surprise since it's operated by the maintainer of hpHosts.
Another service that automatically gives you a preview is The feature can be explicitly disabled by each user, if desired; there's a "Click here to disable previews" link on each preview page, which when clicked sets a cookie to disable previews in the future. / is the only other URL shortener service I know of that automatically gives you a preview. Again, the preview can be disabled, if desired; there's a "Never show a URL preview again" link on each preview page, which when clicked sets a cookie to disable previews in the future.

Other services
Unfortunately, several popular services (including, as far as I can tell:,,,,,,,, and don't offer the ability to preview the original long URL before visiting it. Personally, I'm not interested in using URL shorteners that don't offer previews. It's just nice to give people the opportunity to be able to view the full URL without having to click the link first. However, if someone else sends you a shortened link from another service and you want to preview it, you may still be able to do so using a third-party site. Here are a couple of sites that let you do just that:
If you know of any other URL shortening services that offer a preview feature, feel free to leave a comment with the details of how to change a shortened URL into a preview URL.

See also my follow-up article about a Firefox add-on that lets you preview full URLs automatically: LongURL: Preview Shortened URLs, No Clicking Required. (UPDATE: This add-on is no longer being developed and will not work with current versions of Firefox. The best alternative I've been able to find is for Firefox and Chrome.)

UPDATE, 3 Mar 2010: Removed defunct shortening services:, (which has been replaced with and, and Also added the plus character shortcut to the section. 
UPDATE, 30 Mar 2010: Added and
UPDATE, 5 Apr 2010: Added and re-added
UPDATE, 30 Nov 2010: Added due to popular demand, plus mentioned Pro. Also added a couple sites that can be used to find out long URLs, even when the shortening service itself doesn't offer a way to preview where a link will take you.
UPDATE, 25 Jan 2011: Added info about previewing,,,,, and Added and Twitter's own to the list of shorteners that unfortunately don't offer previews. Removed mentions of defunct and
UPDATE, 31 Mar 2011: Added info about previewing,*,, and Added,,, and to the list of shorteners that unfortunately don't offer previews. *Note that is different from, and the latter cannot be previewed as far as I can tell. However, if you see a human-readable word or name after, this will redirect to one of Facebook's so-called "vanity URLs" for a user profile or fan page; thus will redirect to
UPDATE, 22 May 2012: Updated link and name for URLVoid's service (now called Unshorten URL instead of Extract URL). Added preview instructions. Added to the Bitly section and updated the old " Pro" name to Bitly Enterprise. Added lots of Bitly Enterprise domains:,,,,,,,,,,,,, and Mentioned Removed,,, and, which all appear to be defunct. Removed mention of, which is no longer accepting new URLs but is supposed to redirect previously created URLs "indefinitely" (it never offered a preview). Added note about the LongURL Firefox extension no longer being actively developed. Replaced link to Damon Cortesi's article on the Twitter StalkDaily Worm with an archived copy since the original site appears to be down.
UPDATE, 6 May 2013: Added to Bitly Enterprise list. Mentioned extensions for Chrome and Firefox.
UPDATE, 10 May 2013: Updated URLVoid unshortener link to new Toolsvoid URL.

For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.


  1. Good post. Very useful. Thank you.

  2. Josh,

    Very nice article . . . I gave a link to it from my "CyberCrime & Doing Time" article talking about Twitter and dangerous tiny URLs.

  3. Great article just what I was searching for "How to preview shortened URL's" I created a tinyurl of this page see the preview here:

    Well Done Josh!

  4. Three of the most popular URL Shortners offer the "preview" feature -,, and If you want to build the functionality into your website(s) so that all shortened URLs are previewed, download the javascript at Then your visitors will always know what they are clicking on.

  5. I was looking for a way to do this, and it seemed like the only option was to install the Firebox preview add-on, which has gotten horrible user reviews. So thanks! I'm going to tweet about this right now, since eeeeeeeveryone on Twitter is using

  6. Thanks for the post. Very useful.

  7. Great article. I just linked to it to raise the awareness of my family regarding shortened URLs. Hopefully, it will help them keep from getting their Facebook accounts hacked!!!

  8. A note on the Firefox Preview addon- it leaks the users entire browsing activity to See the post on Go To Hellman.

  9. Regarding Eric Hellman's comment above, please note that I did NOT recommend the " preview" Firefox add-on. The directions in this article explain how to manually discover the full URL to which a link will redirect. The browser extension that I mentioned in the follow-up article is called LongURL Mobile Expander and is maintained by a third party unrelated to

  10. What about the URL shortener from Google -

  11. Ooh - very useful info - thanks for collating it all.

    For URLs, it seems that adding a + sign to the end of a URL works. I've only tried this experimentally and don't know if it's official? The plus sign seemes to take you to a URL containing an extra /info/ which decodes the URL.


    takes you to{characters}

  12. Adding the + to a shortened url
    will take you to a page that decodes it.

  13. The plus sign for URLs is really handy to know, since I'm a Twitter addict. Thanks!

  14. super helpful resource. i've shared it w/coworkers. i was sick of getting random shortened links in chat messages from "friends". never trusted them & now i can know for sure.

  15. AWESOME POST!!! JUST SHARED WITH FRIENDS ON FACEBOOK AS THE FB Groups are turning into spam source by many apps.. click any link and it will spam all the groups you are subscribed to.. Was sick.. I m happy now that i found a solution..

  16. Thanks! I seriously hate the people who invented and tinyURL. about 99.999999999999999999999999999999% of the stuff with those shorthand URLs are just spam. They literally do the spammers' jobs for them.

  17. For ( just add a tilde to the end '~'. It not only shows you the full link but also checks the link against Google's Malware and Phishing databases.

    Add a '+' for stats.
    Add '.qr' for the QR code.

  18. is another shortener that enables previews by default, from the people who made

  19. Thank you so much for this article! I used it to make another cheat sheet in Russian in my LJ (with link to you, of course).
    Another update: "URLVoid Unshorten URL" changed from to

  20. Good reference article!

    2 points i would like to make.

    1- URL shortening is very useful to understand what web content works or not via the visit stats.

    2- Spam? IMO, The term spam can be misleading at times and often is simply used to destroy someone else genuine business. I now think of it as another kind of bullying.

    What is the actual definition of spam?
    * irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

    Now a days, companies/individuals/websites simply need to make a living and want to cash-in the profits of any product/link shown in their own web site and because of this by branding anyone else offering a product/service a spammer that this definition IMO is changing. The fact most people don't realize is, that the majority of popular websites (e.g. Facebook, twitter, WordPress, etc, etc) already have systems in place to detect, block and even replace any URL shortening advertising links with their own advertising links. e.g. I found a really good deal for a product and posted in some deals website, next the link had been updated with their own personalized link so the deals website gets commission from where i seen the offer...

    Should we next consider any website out there offering Google adverts or any other form of advertising links which have financial interested behind it (e.g. a product review or a coupon/voucher) also be considered spammers?

    Basically if you pay a website to link to your product/products/services you are no longer considered a spammer but if you don't then those web sites have the power to brand any links to your product/products/service as being spam. Believe me I hate spam but branding someone a spammer can be just another form of bullying.

  21. Hi, gadgetsa2z:

    On your first point, I agree that using URL shorteners that can track statistics can be useful. I normally use Bitly on social networks because it's free, it's widely known and respected, it allows users to preview the URL before visiting the destination site, and it provides stats. Just because someone is using a URL shortener doesn't mean that the destination site is bad.

    You raise the question of what exactly constitutes spam. I think this is an important discussion to have, especially on a site where the term is used frequently and not always defined explicitly.

    Spam comes in many forms, to be sure. It can be one of those "I know it when I see it" sort of things, but there are some keys that can make spam easier to identify (this is not a comprehensive list by any means):

    1) For one thing, spam is unsolicited, regardless of the medium (e-mail, blog comments, etc.) and usually comes from an organization or person a) with whom the recipient has never interacted previously and/or b) which the recipients never authorized to send them advertisements.
    2) On this site when I discuss spam, I mostly talk about the misleading or downright deceptive type. This variety of spam usually attempts to either trick the recipient into clicking on a link or to reply to the message, and it often doesn't deliver what is promised or implied (in other words, it's fraudulent; a scam).
    3) Sometimes a spam-advertised link goes to a site that may be legitimate but has been hijacked by someone with malicious intent (the idea here being that the hacked site's reputation will be sacrificed, possibly instead of the spammer's domains' reputation).
    4) In nearly every case, the goal of the spam is either to make money (often by questionable means) or infect visitors' computers or devices (which in turn is typically used as a means to make money).

    You try to force a question of whether any site with advertisements may be considered a spam site. That's obviously not the case. Legitimate businesses obviously need to make money in order to be sustainable and pay their employees, and advertising is often the preferred means of making a profit so that content or services can be provided for free or at a reduced cost. Legitimate companies are required by law to include opt-out instructions in every advertisement e-mail, and those opt-out instructions have to actually work. Legitimate companies do not send the deceptive or malicious kinds of spam that I usually talk about on this site.

    As for the question of whether labeling a site as a 'spam site' is used as a form of bullying, as far as I know it's not very common. I've seen "bullying" behavior most often on community-rated reputation sites, particularly targeted towards major political or religious sites. Some people have very strong opinions about these topics, and a subset of those people seem to think it's their duty to damage the reputation of a site if they don't agree with everything that the site stands for (or that they think the site stands for).

    A different form of spam-related bullying is when certain anti-spam organizations get a little too trigger-happy, blacklisting a legitimate site or mailing list and then making it extremely difficult for the legitimate company to get removed from the list. That form of bullying happens on occasion as well, but I don't know if it's an extremely common occurrence. One would hope that the motives behind anti-spam sites would be pure, but in some cases their methods and practices may be less than ideal.

  22. Also in reply to gadgetsa2z:

    I should add that if you spend money for "SEO services" that claim to get your site linked from a number of popular sites or those with a high Google PageRank, this most likely means that the person or group offering those services will attempt to leave spam comments on those sites. Some people may pay for links or publicity and unknowingly get their site spamvertized, which can lead to their site getting blacklisted by anti-spam organizations. The damage to your site's reputation may be irreparable and will be a very bad thing for your site. Thus you'll have effectively wasted your money and have gotten nothing positive in return.

  23. doesn't appear to work any more. It takes you to the front page unless you're logged in, in which case you get the analytic page.

    1. Gold, you were correct, at least for a short period of time. A few minutes ago I verified that I was only able to access whilst logged into the Google account from which I created it. However, a few minutes later (after I was ready to publish an update to this article), I was again able to visit and whilst not logged into any Google account. Also, the homepage still says, "All URLs and click analytics are public and can be accessed by anyone." You may have noticed a temporary glitch that Google has already fixed.

  24. This one's good and has plenty of advanced options:

    - multiple long urls
    - custom name url
    - url password
    - expiry
    - limited number of url uses
    - save to folders
    - private or public url
    - QR code
    - API


Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)