URL-shortening services such as TinyURL and Bit.ly are popular when it comes down to shorten long URLs that have the possibility to break or are simply too long when inserted in email, posts on Twitter, blogs and so on.
The potential dangers and risks
The dark side is that with these shortening services you are no longer able to see directly where your browser will be pointed to. Shortened URLs could lead to the following security risks:
- web sites that host malware, trojans and other malicious programs
- web sites that could exploit security risks in a browser or system
- web sites that contain phishing attempts and try to steal personal information
- web sites that contain phishing attempts by social interaction
- web sites that are being used in spam campaigns
A real example of shortened URL abuse
MX Lab has intercepted a message from Sefedin Abazi <sabazi@hotmail.com> with the subject “Fotos 26/06″. This is the message content:
7:37:25 PM Fotos 26/06 :
Imagens anexadas: DSC_332.jpg – DSC_333.jpg – DSC_334.jpg
Videos Hotmail.com: www.hotmail.com/videos
————————————————————————
See all the ways you can stay connected to friends and family
With this email it looks like someone has sent you some foto’s and perhaps your curiosity is triggered you click on the short URL. The names of the photos and the video link contains the shortened URL link: hxxp://cli.gs/21YUde (do not use please).
By clicking on the shortened URL, your browser will make a connection to hxxp://fotos.live.fromru.su and will download the file xupload.exe.
When submitting the file to Virus Total (permlink and MD5: 41e441403bae688961d276b2ab1f9bca) we found out that the malware is known as Gen:Trojan.Heur.B090E1F4F4 (by GData), W32/Obfuscated.B!genr (by Norman), W32/Trojan-disguised-based!Maximus (by F-Prot) or Mal/Generic-A (Sophos). The major problem is that 21 of the 41AV engines did not detect the malware.
Without going too much in the technical details of the malware, we could conclude that downloading and executing the xupload.exe could lead to a suprise.
Furthermore, some URL-shortening services not only shorten the URL but are also tracking the usage of the generated URLs. This way the “distributor” can gather resources on how many times a malicious shortened URL is being used, in what country, and so on.
How to preview a shortened URL
By previewing the short URL you can determine if your destination is safe enough to visit.
TinyURL
For some URL-shortening services there is a preview feature where you can submit the shortened URL to and view the full URL before visiting the site. For TinyURL you can visit http://tinyurl.com/preview.php directly. A second method is to place “preview.” before tinyurl.com. For example http://tinyurl.com/mfhxxj becomes http://preview.tinyurl.com/mfhxxj.
bit.ly
The service bit.ly (http://bit.ly/) is using a different approach. You will need to install a plug in for Firefox and hover over a shortened URL to get a tooptip with page title, long URL, and any click data about the page the URL links to. There is also a Firefox plug in available.
is.gd
is.gd has information on their instructions page on how to enable or disable previews by using a cookie on your computer. You can also add a hyphen (dash) to the end of the shortened URL. For example http://is.gd/1D6db is the shortened URL. By using http://is.gd/1D6db- your browser will be taken to a preview page first.
Snipurl / Snipr / Snurl / Sn.im
Adding the string “peek.” before the snipurl.com part of an shirt URL to find out where the link leads. http://snipurl.com/nh0l0 can be changed into http://peek.snipurl.com/nh0l0 for a preview.
BudURL
Simply add a “?” to the end of a BudURL to preview it. For example http://budurl.com/ehnw?
short.ie
Same technique as with the POPrl. Insert “/see” after the short.ie/ portion of the URL. For example change http://short.ie/ij6nvk into http://short.ie/see/ij6nvk.
kl.am
Go to http://kl.am and click on the checkbox next to “Preview mode: OFF” to turn preview on.
Tinyarro.ws / ta.gd
Tinyarro.ws is giving a preview by default. There is a countdown enabled so you have time to preview the full URL and cancel the redirection if needed.
ExpandMyURL
The web site Expand My URL allows you to preview short URLs from TinuURL, bit.ly and is.gd.
LongURL
This web site can provide a preview for +200 URL-shortener services and includes tinyurl.com, is.gd, ping.fm, ur1.ca, bit.ly, snipurl.com, tweetburner.com, metamark.net, url.ie, x.se, 6url.com, yep.it, piurl.com and more. LongURL is also available as a Firefox plugin.
It is possible that non al URL shortener services that offers some kind of preview feature are listed here. If you find others, please let me know to include them.
Updated: 07-18-2009: added LongURL and some links to Firefox extensions.
7 Comments
Comments RSS TrackBack Identifier URI
Leave a comment
Hi,
Just wanted to thank you for mentioning http://www.expandmyurl.com and to clarify we preview short URLs from over 100 different shortening services covering over 99% of the short links created.
We don’t yet have a firefox plugin, that’s next on the cards! But we do have a javascript bookmarklet that allows you to preview short links within your webpage in any browser.
Another useful feature that we include is the ability to expand short links hidden within short links just incase someone maliciously hides a nasty short link within another shortURL!
But a nice article, hiighlighting the dangers of shortened URLs, a topic that will only gain in importance as sites like twitter gain in popularity.
Thanks for sharing this information with us.
Short link are not my favorite thing to click on. Thanks for the breakdown
The data show that this is an issue, of course. But I think first is that users should really on services (like bit.ly) that screen URLs for spam and malware when the short URL is created. That addresses most of the problem.
Yes, I agree with your posting. Shortened URLs would be more secure if those services like bit.ly and others first make a scan of the submitted URL and decide wether it is directing to a spam web site or a site that hosts malware. Integrating security systems at the source is part of the solution.
But so far I haven’t seen one Shortening URL service that will actually verify their submissions. Security should be one of their priorities at the moment to avoid abuse of their services. They give a potential tool to a spammer or malware diistributor even if that’s not the goal or intention of the Shortening URL service.
[...] Shortened URLs: the real dangers behind and how to avoid troubles « mxlab – all about anti virus … The dark side is that with these shortening services you are no longer able to see directly where your browser will be pointed to. Shortened URLs could lead to the following security risks. [...]
[...] Shortened URLs: the real dangers behind and how to avoid troubles « mxlab – all about anti virus … The dark side is that with these shortening services you are no longer able to see directly where your browser will be pointed to. Shortened URLs could lead to the following security risks. [...]