Avoid the security risk of shortened URLs

Topic

New Reply

	TOP STORY[/size][/font] Avoid the security risk of shortened URLs[/size]
	By Fred Langa The compact URLs produced by services such as TinyURL, bit.ly, is.gd, and many others are convenient and save space, but they can also be used to hide the identity of malicious sites. Fortunately, there are several ways to peek behind a shortened URL to see exactly where the link will take you — before you click it![/size]

---

The full text of this column is posted at WindowsSecrets.com/2010/25/11/02 (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Another trick I sometimes use is to use Rex Swain’s HTTP Viewer, available at http://rexswain.com/httpview.html. Just type the shortened URL into the “URL” box, hit the “Submit” button, and let the script show you exactly where the shortened URL leads to. As long as it’s an HTTP redirect, the script will follow it.

HTH,
Tom

Reply | Quote

There’s a review of the Firefox extension that links to a blog stating this plug-in sends data on every page you visit to bit.ly. I haven’t seen this refuted anywhere. Hardly the sort of thing you want to be suggesting that your readers install…

Reply | Quote

There’s a review of the Firefox extension that links to a blog stating this plug-in sends data on every page you visit to bit.ly. I haven’t seen this refuted anywhere. Hardly the sort of thing you want to be suggesting that your readers install…

I too noted this and was deterred from installing the addon. A comment from WS would be much appreciated

Win10 22H2 Pro, MBAM Premium, Firefox, OpenOffice, Sumatra PDF.

Reply | Quote

I use all the browsers but right now using IE9 Beta…. the real ‘friendly url by default shows on the bottom in a bubble in ie9 by simply hovering the mouse pointer over the link.

Reply | Quote

Good point Fred and worth reminding people. In my case I use (only) Firefox (way ahead of IE all versions) and just by hovering the cursor over the link, even e Tiny url. Firefox displays the full address. This is true I find in emails I receive from my webmail client. The whole point about false links or email addresses needs reiterating to the public as it is becoming increasingly difficult to knwo what’s going on.

Reply | Quote

I have just hovered over each of the shortened links and immediately whilst hovering saw the destination.
No copy and paste;
no adding a ‘+’ or any other nonsense

The destination appeared immediately in the address bar.

Before hovering the address bar displayed
http://windowssecrets.com/comp/101125

Whilst Hovering over http://tinyurl.com/6u5ba it displayed
http://windowssecrets.com/comp/1… > http://windowssecrets.com/links/%P20d/ etc etc

I think this may be a new feature built into Firefox 4.0 Beta 7.

Regards
Alan

Reply | Quote

I saw your links in MS Outlook 2007 and mousing over them revealed the true URLs. As I never see these while browsing, the ones I do encounter (thru the email) don’t bother me.

While going to your website I did see you had a tiny url at the top on the right side. Since I am in firefox I right-clicked on it and scrolled down to the NoScript tab which opened another drop down showing the real URL and any others attached to the link.

Reply | Quote

If you’re using Chrome as your browser, right-click on the URL and choose “Inspect Element.”
It will open a window at the bottom of the screen with the hyperlink and its resultant URL highlighted

Code:

[url="http://WindowsSecrets.com/links/$P20d/185aabh/?url=bit.ly%2F10Sjt"]http://bit.ly/10Sjt[/url]

Walt

Reply | Quote

Why not just right-click the short url and look at properties. That shows the real link

Reply | Quote

Why not just right-click the short url and look at properties. That shows the real link

I agree.. that is by far the easiest way to check ANY link!

Reply | Quote

FireFox 4 does not support the bit.ly preview add-on (download site)

Reply | Quote

Richard Eastman at
http://blog.eogn.com…l-links.html#tp
has an interesting article in which he claims that Google’s shortening has a security advantage.

Reply | Quote

Good article. However, for those reporting being able to see the true destination by hovering over one of the short URLs it is not because of a feature of your email client or browser. It’s because the HTML email has the actual long URL coded into it.

For example, here’s the actual HTML from first example in the newsletter email:

http://bit.ly/10Sjt

Same holds true for the Web version.

Ed

Reply | Quote

Information below was gathered long ago from http://support.microsoft.com/?id=833786 and gives a method of avoiding going to any spoofed URL’s, not just shortened URL’s.

Copy and paste the following javascript alerts in a text file and keep it on your desktop. To check out the validity of any URL, copy and paste either of them into the browser’s address bar and press “enter”.

javascript:alert(“Actual URL address: ” + location.protocol + “//” + location.hostname + “/”);

javascript:alert(“The actual URL is:tt” + location.protocol + “//” + location.hostname + “/” + “nThe address URL is:tt” + location.href + “n” + “nIf the server names do not match, this may be a spoof.”);

Also, in the scenarios that Microsoft has tested, you can use the History Explorer Bar in Internet Explorer to help identify the URL of a Web page. Cllick History. Compare the URL in the Address bar with the URL that appears in the History bar. If they do not match, the Web site is likely misrepresenting itself and you may want to close Internet Explorer.

Reply | Quote

I use a FF addon called UntinyFox ( https://addons.mozil…ox/addon/10181/ ) which allows me to see a long URL in the FF status bar by hovering over the short link.

See http://min.us/iRas6.jpg

If you go here:
http://www.untiny.me/extra/#addon=0

there are numerous variations on this code for Chrome, Opera, a bookmarklet and what looks to be support for IE8 (which might work in IE9).

Reply | Quote

I use Outlook and Windows Explorer and I see the full link when I browse over it and have ever since I got Windows 7.

Reply | Quote

I can see the full URL in the bottom status bar of my IE 8.0 window when I hold my cursor (without clicking) over the URL. I think there might be a setting under the View menu where you have to tell it to show the status bar, as in Windows XP and other Windows versions… I always enable that when I get a new installation.

So bottom-line, no need to type anything extra into the URL or preview or download a third-party piece of software, etc. Just click the View menu, move cursor over Toolbars > check the “Status Bar” and now hover the cursor over a URL and look down in the lower-left corner of the browser window. Voila!

Reply | Quote

I can see the full URL in the bottom status bar of my IE 8.0 window when I hold my cursor (without clicking) over the URL. I think there might be a setting under the View menu where you have to tell it to show the status bar, as in Windows XP and other Windows versions… I always enable that when I get a new installation.

So bottom-line, no need to type anything extra into the URL or preview or download a third-party piece of software, etc. Just click the View menu, move cursor over Toolbars > check the “Status Bar” and now hover the cursor over a URL and look down in the lower-left corner of the browser window. Voila!

Try it on this page: http://edmullen.net/temp/temp2.php

Anybody see the actual destination URL? No, you can’t. Not by any of the methods mentioned here except UntinyFox. Because it simply isn’t there. As I explained in my last post, the email and the Web articles’ HTML code has the final destination in it. Re-read my first post.

Reply | Quote

Try it on this page: http://edmullen.net/temp/temp2.php

Anybody see the actual destination URL? No, you can’t. Not by any of the methods mentioned here except UntinyFox. Because it simply isn’t there. As I explained in my last post, the email and the Web articles’ HTML code has the final destination in it. Re-read my first post.

Well, I see it in the status bar but I have untidyfox installed. However, I also see t least a partial link by hovering over your 1st link. This comes from LongURL which I have installed as a Greasemonkey script.

See:
http://min.us/idqyxK.jpg

Reply | Quote

Well, I see it in the status bar but I have untidyfox installed. However, I also see t least a partial link by hovering over your 1st link. This comes from LongURL which I have installed as a Greasemonkey script.

See:
http://min.us/idqyxK.jpg

so re-read my posts. I specifically mentioned what would and would not work to display/reveal the links and the underlying HTML code. No one has responded directly to what I posted, not contradicted what I said. Greasemonkey has never come up before. But I did address UntidyFox.

I stand by my posts.

And, I find it interesting that no one from Windows Secrets has answered what I said. It’s a simple HTML coding issue. The original was (at least until someone proves to me otherwise) screwed up. It was good article undone by bad construction of HTML.

Again, read my other posts. Go to the example page I posted. Try the “tricks” others have posted. Do they work? No.

I think my points are clear. If you don’t think so, let me know, and let me know specifically how. If you don’t understand the concepts in my posts, let me know. But, what I stated is, to the best of my ability, the facts.

For anyone to be spreading nonsense about browsers’ abilities to uncover final destination links in short URLs is just wrong (again, with the exception of the Firefox extension mentioned – although, hardly anyone uses it).

So, ok, where are the authors of the Windows Secrets newsletters in all of this?

Reply | Quote

Something I’ve been doing since two weeks after dirt was invented is to right-click on the link and click “Properties.” And, voilà (!), you can see it’s a redirect. Plus I can copy and paste from the Properties into a The Google window and see what’s what. I don’t have to type anything.

Just my 2¢

Reply | Quote

Fred’s articles are always educational. Thanks Fred.

Reply | Quote

in firefox 3.6 on my winXP puta, “properties” is not on the right-click menu, and right at this moment i have nothing installed that shows the decoded link when i hover over a shortened link.

i have a greasemonkey script installed called TinyURL Decoder, http://korta.nu/e650, http://ponyurl.com/3fttsw, or http://to.ly/W6, that expands shortened links from 85 or so services but it only works on twitter’s web page. actually any page could be added to the @includes and it seems to work; i just added http://lounge.windowssecrets.com/* and it decoded the 3 links i pasted above.

i don’t worry about shortened links from my 500 close friends on twitter, but i never click on a link sent to me by someone who doesn’t follow me.

Reply | Quote

Depends on the way the copy is done. If highlighted and copied (Ctrl-C), then what Fred says is true. However, if the browser’s right-click copy or copy link address is used with at least Opera, IE8 and FF4, then the full real address shows when copied (Ctrl-V) into the page’s address field. The latter is the way I normally copy links.

Reply | Quote