While describing two popular URL Shortening services, here and here, I had already expressed my apprehensions about the security risks involved in blindly clicking at the shortened URLs in Twitter messages and elsewhere. That’s why I had specifically mentioned that one does not know where a shortened URL could lead you; and, accordingly I had referred to using the Preview of the web page to which a shortened URL would link before actually clicking at it. Now, the security software company Symantec has released a video to show the security risks in blindly clicking on the shortened URLs.
You can watch this Symantec video here (see, this page also):
The problem with a shortened URL is that it does not tell you in a transparent manner where it is going to link you. For example, while the full URL
http://www.symantec.com/connect/blogs/tweeting-misleading-applications
will inform you in a transparent manner that it is making you visit the Symantec site (though sometimes even a full URL could be deceptive), a shortened URL, for the same full URL as above, namely,
or
will not tell you transparently that it is leading you to the Symantec website. You cannot make out just by looking at the shortened URL. It can take you to any objectionable adult site or may be to a web page where some virus or worm is waiting for you.
This is the risk involved in a shortened URL. And, it is a serious risk. While a shortened URL has made the life simpler for sending short messages on Twitter or in email or on a mobile phone containing even long URLs, it has also put certain risks at a higher pedestal. Necessitated by Twitter’s message limit of 140 characters which cannot accommodate long URLs, the shortened URLs have become synonymous with Twitter messages. In fact, bit.ly, a popular URL shortening service is the default URL shortening service for Twitter and any tweet containing a long URL automatically converts the long URL to a short one using bit.ly.
While referring to Twitter services, Symantec has rightly observed as under (of course, Symantec has its own interest in highlighting the security risk to promote its own security products; nonetheless, the security risk involved in shortened URL is not imaginary):
“Unfortunately one of the limitations here is sharing Web pages with long URLs. In order to address this issue, URL-shortening utilities have grown in popularity on the site. Using such tools allows you to include a link well within the 140-character limit, which will redirect anyone who clicks it to the longer URL and thus the site you wanted to share.
There’s one downside here, from a security point of view—you’ll often have no idea where the link leads until you click it. Clicking any link like this is entirely a security leap of faith. Unfortunately malware authors have caught on to this and are currently distributing misleading applications using these shortened URLs. Using enticing tweets and commonly used twitter search terms, their goal is to get other users to click on their links, leading to malicious code.”
And, the above Symantec video amply demonstrates malicious tweets in action.
Thus, one has to be more cautious while clicking on the shortened URLs received in Twitter messages or otherwise. And, this precaution must be observed even if the message is coming from a known person because you never know he might have simply forwarded the tweet or the other message to you without verifying the target web page of the shortened URL.
In any case, it is always advisable to use the preview feature of a shortened URL to first see where that shortened URL is going to lead you. Don’t blindly click on a shortened URL otherwise there could be risk to your computer or other device. While TinyURL makes optional preview available for all its shortened URLs and in all browsers (see, my earlier article on TinyURL), bit.ly preview is available only in the Mozilla Firefox browser through a plugin and there is no general feature of preview for its shortened URLs for all browsers (see, my earlier article on bit.ly). There is a need to include preview of the shortened URL as a default option so that the users always know where they are likely to visit. The URL Shortening services will do well to make necessary changes to their services in their own interest as also in the interest of their users.
Perhaps, it is time for Twitter also to consider whether the message limit of 140 characters needs to be relaxed a bit, say up to about 250 or 300 characters so that most of the URLs (barring some really long URLs) could fit within the message in their full form and the need to resort to the URL shortening services would then arise only on some rare occasions.
One more suggestion would be for the website owners to use their own site’s URL for shortening their long URLs. For example, a long URL for a web page at the website http://www.mysite.com/ could perhaps be something like http://mysite.com/kUsmt or the like. In such a case, the user will know that the shortened URL leads him to that particular site itself and not to some unknown harmful or objectionable site.
Did you like this article? To get all such articles from Tech Superb directly:
Related Articles:
If you would like to make a comment, please fill out the form below.
1. btw, what does “ly” stand for? which country code is this?
2. i hate this short url thing. it looks so suspicious. all short urls look similar. we’re not in dos days when hard disk limit was there. 2day so much memory is availalbe. no need to use short url. very risky.
“Ly” stands for the country Libya.