Security Risks of URL (Link) Shortening Services
We all share URLs (website links) with each other through emails, blogs, social media sites, book marking websites and word of mouth and we rarely, if ever, think about the potential security risk this simple act can raise. In this article I will outline some of the potential risks involved in sharing shortened links supplied by URL Shortening Services.
What is URL Shortening?
The idea behind URL shortening or link shortening is very simple, take a long URL and use an algorithm to encrypt it so that it produces a shorter URL. This is what URL shortening services do. They provide a shortened URL address which is then mapped to the original long URL.
Lets presume we have a link, the original desired destination, that is 220 characters long. Encrypted this link would typically be reduced to 25 characters in length, this is the link you would pass to your friends. When your friends click on the short URL the shortening service website maps this short URL to the original longer URL and redirects the user.
Social Media Sites
With social media sites such as Twitter the sharing of links is problematic at best because of the 140 character limit imposed on message length. Many links are easily over this character limit.
This problem has given rise to the proliferation of URL Shortening Services and whilst these services do a fantastic job on the whole, there are risks involved with trusting a third party to redirect your links, especially if you are using the service for business purposes.
There are over 100 URL shortening services online, the majority of which are free. A more complete list of these services can be found in the links at the end of this article.
Security Risk 1 – Link Manipulation
Where is the shortened link going to take you? There is usually no way of knowing your final destination until you click the link. The true target is obscured.
Admittedly this risk applies to all link cloaking technologies but usually when you receive a dubious link via email for example, you can either view the plain text version of the link or hover your mouse over the URL to see the destination address and assess its validity.
With all shortened URLs this first line of defence has been removed, you don’t know where clicking the link will take you. Email Phishing scams are using the URL shortening services for this very reason.
Security Risk 2 – Ineffective Spam Filters
Because the original URL is not available spam filter systems cannot make a judgement about the validity of the URL. Plus, with the shortening services being freely available and taking only seconds to use, keeping abreast of this problem is almost impossible.
Many shortening services take spam complaints very seriously and disable spam URLs immediately upon discovery. Some services actively scan registered URLs for blacklisted websites and disable the shortened URLs, but, no sooner is one removed than another takes its place.
Even the Safe Browsing features of web browsers such as Firefox and Google Chrome which warns users of malware or phishing sites are no match for shortened URLs. No warning will be issued, instead, users are sent directly to the potentially dangerous web page.
Security Risk 3 – Compromised Shortening Service
A considerable number of the URL shortening services I’ve visited have not been very secure. Several let me drop down to their directory structure just by typing an invalid URL. Poor security leaves sites open to risk,, hacking such a website would allow popular shortened URLs to be redirected to phishing or malware sites.
Security Risk 4 – Privacy Issues
Link shortening services are in a position to track user’s behaviour across many domains so creating possible privacy issues.
Security Solutions – Transparency
Some URL shortening services are actively trying to solve security issues by adding a “see before you click” functionality to their short URLs.
- Any tinyURL shortened URL can be prefixed with the text “preview” to show the destination address.
- A BudURL shortened link can be previewed by adding a “?” to the end of the URL.
- Some services are providing a popup window to display the destination webpage when your mouse is hovered over the short URL.
Unless you are sure about the links you are clicking and you know the link comes from a reliable source (this applies to all links really) then be very wary about the destination page you are about to reach. I’m sure you’ve had many email scams requesting your bank details etc., most people have. We’ve all become very flippant with unknown links, especially if they come from our friends, be careful out their, it’s a beautiful but sometimes cruel world.