Skip Links

URL Shortening Frenzy Comes with Security Risks

Google and Facebook are jumping into the URL shortening fray, but link shortening services come with security concerns

By Tony Bradley, PC World
December 15, 2009 02:32 PM ET

PC World - The options for shortening long URL's to a more manageable length are quickly proliferating with both Google and Facebook getting into the link shortening game. The shortened URL's are easier to send via e-mail, and they are a requirement for Twitter's 140-character limitation, but they also introduce security risks.

Filling a Need

Some URL's--particularly on sites like Amazon, Youtube, and eBay--can be exceptionally long. You have probably either sent or received an email with a very long URL link that has been broken because it carried over to the next line. Then you have to manually copy and paste the various pieces of the URL into your Web browser address bar to get to the destination. Not very convenient, to say the least.

Services like TinyURL came along to solve that problem by assigning a shorter alias URL. Using TinyURL, the URL http://www.pcworld.com/businesscenter/article/184608/report_atandt_reputation_tarnished_by_iphone_flaws.html becomes http://tinyurl.com/yae8pvp. TinyURL shrinks the 108 character URL down to a much less cumbersome 26 characters that fit nicely in e-mails and tweets.

Exploiting Trust

There are two main problems with link shortening services. First, they make it easier for attackers to distribute spam and phishing attacks because the actual destination URL is not displayed. Second, because link shortening is frequently used with social networking services like Facebook and Twitter, there is an inherent trust that the link will be legitimate.

When I receive the above link in its entirety, I can easily see that the actual destination domain is pcworld.com--especially if I am using the Internet Explorer 8 browser which highlights the true domain as a defense against spoofed sites and phishing attacks. However, the TinyURL alias tells me nothing about the destination and could lead me to a malicious Web site.

Attackers can also circumvent many security controls by using URL shortening services. The URL shortening domains are trusted by default by firewalls, Web filters, and spam blocking tools which makes it more difficult to identify and weed out links that lead to malicious destinations.

Looking Behind the Curtain

You need to have a way to determine where that shortened URL is going to lead you before you click on it, lest you find yourself the victim of some sort of drive-by download and your PC becomes part of a botnet. Thankfully, there are tools available to help out with that.

Twitter users can use tools like Tweetdeck. Tweetdeck has an option in the settings to Show preview information for short URL's. With this setting enabled, when you click on a shortened URL within a tweet, a screen will appear that displays the title of the actual destination page, as well as the full-length URL.

There are other browser plug-ins and services that perform a similar function outside of Twitter. TinyURL offers an option to enable previews. You must have cookies enabled for the TinyURL previews to work, though. ExpandMyURL and LongURLPlease both provide Web browser plug-ins or applets that you can use to uncover the full URL behind the shortened link as well.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News