URL shorteners are becoming extraordinarily popular, thanks mostly to Twitter. The need to cram a full URL into 140 characters has spawned services like bit.ly, is.gd, and Twitter’s new t.co. URL shorteners convert the real URL to one that takes up fewer characters. So http://www.zdnet.com/blog/bott/office-starter-2010-drops-the-crapware-adds-ads/2220 becomes http://is.gd/cQkSS. (Both links lead to the same page.) And there are lots of shortening services, which means my original link could also be (and certainly is) translated into links from bit.ly and tinyurl.com and goo.gl and even ZDNet’s official domain, zd.net.
The problem is, the shortening process is also destructive, removing some key data points that you need to make an informed trust decision about whether to click that link. What domain is it from? Is it one I am confident will not be compromised? Does the name of the link provide any clues about its content?
With short URLs, you lose those data points. My original very long URL gives me all sorts of clues that allow me to set my expectations with confidence. I know it’s at a domain I trust, zdnet.com, and I can even divine the title of the article. The shortened URL tells me nothing.
The consequences of following a bad link can be unfortunate. After I got a couple of very suspicious links from a couple of unrecognized Twitter accounts yesterday, I passed them along to Chris Boyd (@paperghost on Twitter) who wrote about the phenomenon on The Sunbelt Blog (see "PDF exploit spam run on Twitter") and also pointed to a technical article at the Trend Micro blog: "New malicious Twitter spam."
Here’s how it works: A hostile Twitter account churns out messages that say, “Wow, a marvelous product” or "I Just Cant Believe This," accompanied by a handful of user names to make sure they get seen.
Click the link, and you might be redirected to some sort of paid movie service. […]
If you’re unlucky, however, you’ll end up at a URL such as fqsmydkvsffz(dot)com/tre/vena(dot)html, where PDF exploits await.
So how do you protect yourself? One way is to be suspicious of short URL services and check the link before you visit the page. One feature I like about TweetDeck is it shows a preview of the URL when you click a shortened URL.
I like the fact that Bit.ly has an API that allows third parties to customize their domain for short links. When I see a short URL from the zd.net domain, I am very confident that it is safe to click on and in fact I know that I am going to go to the ZDNet site.
If you’re suspicious about a short link, you can often preview its contents by pasting the link into a browser and then tacking a suffix onto it. For a link from is.gd, for example, you can add a minus sign (hyphen) to the end of the URL to visit a preview page hosted on the is.gd servers. You can preview a bit.ly link by tacking a plus sign onto the end. If you’re suspicious of a link, copy it to the Clipboard, paste it into the address bar, and add the appropriate suffix.
The URL shortening services are also reacting to complaints fairly swiftly. The hostile links I saw yesterday were disabled within 24 hours. Here’s what I saw when I visited one of those links a few minutes ago:
Bit.ly has an excellent statement of how it handles security:
bit.ly uses data from a number of independent sources in addition to its own internal classifiers to determine whether or not destination sites propogate [sic] spam, viruses, or other malware. The third party sources include Sophos, Websense, VeriSign, PhishTank, and Google Safe Browsing. For Firefox and Chrome browser users, we also have a Preview Plugin that allows you to view link details before clicking. If you are a Twitter user, similar preview features are available from Tweetdeck (see a write-up of how it works here)
The goal of the bad guys is to get you to click on their link, and they’re good enough at it to warrant some respect. Ultimately, there are a lot of links I simply don’t click, especially those that ostensibly lead to shocking or amusing videos and articles. The reward isn’t worth the risk. Links from strangers are always suspicious, but a link that appears to be from a friend might actually be from a hacked Facebook or Twitter account. And you have no idea of where it really goes.
So, seriously: Be careful what you click.
If you’re interested in this topic, it’s worth reading DeWitt Clinton’s recent "More thoughts on URL shorteners," which covers this topic in much more depth than I can do here. Highly recommended reading.