UNRENOWNED

As a follow up to one of my former posts I found that The New York Times recently reported  a study from Message Labs that spammers are increasing their use of shortened URLs to drive traffic to their sites and malware.

Check out their story here.

Protect yourself out there.

URL shortening services such as TinyURL and Bit.ly have become the norm on the Internets. They were created as a way to make URLs memorable, easy to type and limit confusion when telling someone how to get to a site. As the name implies, it takes a long URL and creates a new and shorter unique URL. When the new, unique and shorter URL is clicked, it automatically redirects to the original (and longer) URL.

TinyURL.com gives this example:

Turn this URL: http://rover.ebay.com/rover/1/711-53200-19255-0/1?t ype=3&campid=5336224516&toolid=10001&customid=tiny- hp&ext=unicycle&satitle=unicycle into this tinyURL: http://tinyurl.com/unicycles

It’s all Twitter’s Fault

Long URLs weren’t much of a problem at first because links were mostly shared in email or embeded within webpages. Then microblogging sites like Twitter, Identi.ca and Plurk came along that only allow 140 character messages to be displayed. It’s hard to share a link if the URL can be more than 140 characters by itself.

As a paranoid security guy, I’ve always been bothered when presented with these short URLs. I have no idea where it is going. Is it safe for me to click on while I’m work? Is it even same for my computer? It is very possible for the link to take me to a malicious site that infects my computer and eats babies. We’re just getting to a point where many people understand that they shouldn’t click on links in email. Now expect to blindly click short URLs without knowing where it leads?

Surprise, Surprise URL Shortening Service Gets Hacked

I read at ComputerWorld and SC Magazine that the URL shortening service Cligs was attacked and more than 2.2 million addresses were redirected to a site other than where it was intended. You can read more about it in the links above. In this instance, the site users were redirected did not seem to be malicious.

What’s an Internet Addict to Do?

Fortunately, there are a couple things that can be used to help avoid this risk of clicking short URLs.

1. Don’t click on short URL links.
   • Yeah, I know. This is like telling you to unplug your computer to keep your data safe. I follow the same standards that I do with email. If it’s from someone that I’m not extremely familiar with, I don’t click. If it looks abnormal or out of place, I don’t click. Even if it’s from someone that I’m familiar with but doesn’t have any context, I don’t click. I doubt any one link is going to make me miss out on some life enriching content.
2. URL Expanders
   • Bit.ly has an awesome Firefox plugin that expands URLs for bit.ly links as well as a slew of others. You hover over the link and it will show the expanded URL, page title and sometimes shows how many people have previously clicked on the link.
   • TinyURL has something similar but not as elegant. If you go to TinyURL.com and click Preview Feature on the sidebar, a cookie is set in your browser to take you to a TinyURL landing page that will show you where the link goes. Not the best solution by far.
   • LongURL Mobile Expander is another firefox extension and my expander of choice. At this time, it has support for 208 URL shortening services. Like bit.ly it pops up a preview of the full URL that the link goes to as well as the title of the page.

With so many different shortening services popping up from day to day, I’m surprised that I don’t see more conversation about using them securely. If you have other tips please share them here in the comments. You may also want to share this post by choosing any of the services below.