URL shortening is hot--but look before you leap

URL shortening is hot--but look before you leap

10.Oct.2021

URL shortening services are in the spotlight.

Big names like Google, Microsoft and AOL have joined Twitter in embracing these tools to create easy-to-type Web addresses for their millions of users. But there are still plenty of reasons to pause before you sign up with one of these companies.

The biggest concern is security. Shortened URLs can hide malicious payloads within them, taking unsuspecting users straight to dangerous destinations without realizing it. That's why last month, anti-virus company Sophos issued a warning about using URL shorteners after researchers discovered that shortened URLs provided by Bitly hid malware . Sophos found that when clicked on iOS devices, the infected links quickly took over iPhones or iPads. Bitly says its team has fixed the problem.

But the problem isn't just iOS users, said Graham Cluley , senior technology consultant at Sophos. "This is a big issue for all operating systems," he told SecurityWatch . Any device that visits a shortened URL to its destination risks being infected, Cluley said. Bitly says it scans links before they go live and quarantines any malicious ones, but Cluley doesn't think this is enough.

"URLs can be shortened to look like anything," he said. "It's not necessarily obvious what you're linking to."

The other security concern with short URLs relates to the link-tracking tools used by sites such as Google Analytics or Twitter's Tweet Button [Twitter button for sharing on Twitter]. Those services rely on a long URL to gather information about the particular page users are going to. But if you visit a shortened URL before going there, those tools can't work their magic and provide valuable data for sites."

Blogs such as ReadWriteWeb have suggested that this could be fixed by adding tracking codes at the end of short URLs, but Cluley said that it would just shift the security risk from your computer to those servers.

"Once you've gone through the process of making a shortened link, suddenly it becomes useful," he said. "And if bad people know how to use them and how they work, then all they'll do is change which service is used."

But it doesn't have to be this way, said Ola Sevandersson , a developer at the URL shortening service Bitly.

In addition to its opt-in security feature that allows users to receive an alert when they click on a malicious link, Bitly is also working on a new service called Trust API [trust API] . It will let developers add authentication tools--essentially asking for permission before sending information from your browser back to the site you're visiting--to shortened URLs. The goal is to create user awareness and confidence in using these services while making sure that people can still get access to the sites and content they need," Sevandersson said.

"URLs are the basis of almost all online behavior, from reading articles to following links. But they're also a big part of what's driving spam and abuse on the Internet," he said. "In order for them to stay viable and useful, we need to be able to trust that they're safe."

Sevandersson envisions Trust API as a tool that will provide better security for users and information availability for developers. Once it's switched on later this year, sites with shortened URLs can use Bitly's authentication service to ensure their visitors' safety. And if your site is one of those sharing URLs with its users, you'll know who is clicking so you can keep track of your traffic . It is an opt-in system that allows you to receive an alert when someone clicks on a vote button or Tweet Button, which could indicate a malicious link. Bitly is also now scanning those links for malware and quarantining those with bad code.

In either case users should be aware of the risks URL shorteners pose, as well as what they can do to protect themselves from potential harm. You can start by exercising caution with shortened links within shortened URLs , said Sophos' Cluley. If possible, stick to services such as BITLY rather than going directly through others like bit.ly . And if you see a shortened link come across your Twitter timeline, take the time to expand it and figure out where it's actually taking you before clicking on it, he said.

"The problem is these services are very useful," Cluley said. "There's a thin line between security and usability."

ALSO SEE article titled Bitly boosts service to shorten links .

Article body:  URL shortening is hot--but look before you leap

Fueled by Twitter's popularity, services to abbreviate Web addresses are taking off. They bring a host of problems, but some are working to fix them. [...] The other security concern with short URLs relates to the link-tracking tools used by sites such as Google Analytics or Twitter's Tweet Button [Twitter button for sharing on Twitter]. Those services rely on a long URL to gather information about the particular page users are going to. But by using a URL shortener, the entire system breaks down. Once you've gone through the process of making a shortened link, suddenly it becomes useful," Sevandersson said. "And if bad people know how to use them and how they work, then all they'll do is change which service is used." But it doesn't have to be this way, he said. In addition to its opt-in security feature that allows users to receive an alert when they click on a malicious link, Bitly is also working on a new service called Trust API . It will let developers add authentication tools--essentially asking for permission before sending information from your browser back to the site you're visiting--to shortened URLs. The goal is to create user awareness and confidence in using these services while making sure that people can still get access to the sites and content they need," Sevandersson said. "URLs are the basis of almost all online behavior, from reading articles to following links. But they're also a big part of what's driving spam and abuse on the Internet," he said. "

We are social