Security Risks of URL (Link) Shortening Services

Security Risks of URL (Link) Shortening Services


URLs (website URLs) are shared through email, blogs, social media sites, book marking websites, and word of mouth, but we seldom consider how this simple act, if at all, can raise security threats. I will discuss some of the risks associated with sharing shortened URLs provided by URL Shortening Services.


What is URL Shortening?


The idea behind URL shortening and link shortening is very simple, shorten a long URL by encrypting it into a shorter one. These services shorten URLs in this manner. The original lengthy URL is shortened and then mapped to the shorter shortened URL.


The target link would typically be reduced from 220 characters to 25 characters, and this is what you would pass on to your friends. A short URL will be mapped to the original by the shortening service and directs the user.


Social Media Sites


The 140 character limitation imposed on Twitter messages is problematic at best because sharing links is a major problem. A result of this problem is that URL Shortening Services have proliferated and they do a fantastic job on the whole. However, the risks for trusting shortened links with third parties are substantial.


A majority of URL shortening services that are free are available online. My website contains a more complete listing of these services.


Security Risk 1 - Link Manipulation


What is the link destination? Once you click on the link, it's usually impossible to determine your final destination. The true target is obscured.


Although these risks apply to all link masking technologies, you can usually determine the validity of a link, for example, when you receive one via email or when you hover your mouse over the URL to see its destination address.


This first line of defense is no longer there because all shortened URLs take you to a place you aren't prepared for. These URL shortening services have been used in phishing scams for this very reason.


Security Risk 2 - Ineffective Spam Filters


It is not possible for spam filter systems to evaluate the URL's legitimacy because there is no original URL available. Keeping track of this problem is nearly impossible since the shortening services are free and take seconds to use.


Spam complaints are taken very seriously by many shortening services and malicious URLs are blocked immediately. One service currently scans registered URLs to detect blacklisted sites and disables the short URLs; others remove them, but then the other takes their place.


Even Safe Browsing features in web browsers such as Google Chrome and Firefox which warns customers about malware or phishing sites cannot protect you from shortened URLs. The user won't receive a warning, but will be sent straight to the potentially dangerous page.


Security Risk 3 - Compromised Shortening Service


I've used URL shortening services that have been shady for a considerable number of years. By typing in an invalid URL, several allow me to drop down to their directory structure. A hacked site would expose popular shortened URLs to malicious sites and phishing scams.


Security Risk 4 - Privacy Issues


Linkshortening services enable users to track their activity across multiple domains, resulting in possible privacy issues.


Security Solutions - Transparency


URL shorteners are constantly trying to solve security issues by adding "see before you click" to their short URLs.


The destination address is optionally visible by prefixing any tinyURL address with "preview".

A BudURL shortened link can be previewed by adding a "?" to the end of the URL.

When you hover the mouse over the short URL, the destination page appears as a popup.



You should pay very close attention to the links you click and to whether or not the source is known to be reliable. Be careful when opening links from our friends. We've all been too flippant with them.