Avoid the security risk of shortened URLs

Avoid the security risk of shortened URLs

By Fred Langa

The compact URLs produced by services such as TinyURL, bit.ly, is.gd, and many others are convenient and save space, but they can also be used to hide the identity of malicious sites.

Fortunately, there are several ways to peek behind a shortened URL to see exactly where the link will take you — before you click it!

In fact, every URL-shortening service I’m aware of offers one or more ways to preview the real destination of a shortened link.

For example, here’s a typical bit.ly URL that I created. All it does is take you to the windowssecrets.com home page, but there’s no way to know that in advance — it’s a blind link:

http://bit.ly/10Sjt

Let’s say that (gasp!) you don’t trust me, so you want to see where the link really goes before you click it.

It’s easy: all you have to do is copy the link, paste it into the address bar of any browser window or tab, and add a plus sign to the end, like this:

http://bit.ly/10Sjt+

Adding a plus sign to the end of any bit.ly URL brings you to a special bit.ly page that shows you information about the link, including the full, expanded URL. Using the information on that bit.ly page, you can decide whether the link is safe and worth following.

TinyURL has a similar option. But instead of adding a plus sign at the end of a link, you prepend the word preview. For example, here’s a regular TinyURL link to the Windows Secrets home page:

http://tinyurl.com/6u5ba

Copy that link into the address bar of your browser and add the word preview:

http://preview.tinyurl.com/6u5ba

Now the link will bring you to a preview page that displays the full, expanded URL. (See Figure 1.)

Figure 1. Like all the other major URL-shortening services, TinyURL offers an easy way (circled in yellow) to preview the true destination of a shortened link.

TinyURL also offers a cookie-based option that makes previewing automatic for every TinyURL link you click. To set the (harmless!) preview cookie on your PC, click here:

http://tinyurl.com/preview.php?enable=1

All the major URL-shortening services have similar ways of letting you preview what’s behind their URLs. Security researcher Joshua Long has compiled an excellent free guide, “How to preview shortened URLs (TinyURL, bit.ly, is.gd, and more).”

Of course, if you’re checking lots of links, it can be clunky to manually copy, paste, and edit URLs. Several sites offer automated scripts to make things a bit easier. For example, when you encounter a suspicious short URL, you can click to Longurl, ExpandMyURL.com, or Long URL Please.com.

Paste the suspect short URL into these sites’ dialog boxes, and they’ll show you the full, expanded link.

You also can Favorite or Bookmark those sites to further automate the process of link-checking.

Going a step further, Firefox users can install the bit.ly preview add-on (download site) to allow previewing of short URLs without needing to leave the page you’re on. Despite the name, the add-on works for many URL-shorteners — not just bit.ly.

Chrome users can download (page) a similar extension for that browser.

I know of no fully automated preview tools for Internet Explorer, although several URL-shortening apps are available in the Microsoft IE Add-ons Gallery. Just type url into the search bar.

Note that this level of link-checking usually isn’t needed when you’re clicking on normal links from sites and people you know and trust. But it’s smart to be wary of suspicious links or links with unknown provenance.

When in doubt, check it out!

Fred Langa’s full LangaList Plus column is published weekly in the paid section of the newsletter. A senior editor of the Windows Secrets Newsletter, Fred was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Windows Secrets content goes social!

By Andy Boyd

As some of our readers have already noticed, Windows Secrets is now on Facebook and Twitter. We are starting small but plan to expand our presence on the popular sites in the coming months. We hope to see you there.

Finding us on Facebook and Twitter is easy. Just look for the Facebook and Twitter icons in future columns, or cut and paste these links into your browser:

Facebook: http://www.facebook.com/pages/Windows-Secrets/44445913847

Twitter: http://www.twitter.com/windowssecrets

Now that you’ve been reading Windows Secrets for a while, why not let your friends know what you think about it? Click the link below to send out a preformatted tweet — or send your own creation.

Twitter (requires Twitter sign-in): Windows Secrets: Essential tips & tricks for running Windows, IE, Firefox, and more — weekly. Check it out: http://windowssecrets.com
Andy Boyd is the product manager for Windows Secrets.

Patch Watch leftovers include Outlook fixes

By Susan Bradley While most of us in the U.S. are washing up after turkey or tofu, I’m also cleaning up some leftover Patch Watch items. We’ll undoubtedly have fresh helpings of patches in mid-December. But in the meantime, here are a few that might need your attention.

2412273
Ongoing Outlook printing problem finally fixed

This past September, several Windows Secrets readers complained that the MS10-064 security update broke Outlook 2007 — specifically, their ability to print the end times for Outlook calendar appointments.

This has been an ongoing problem with Microsoft’s e-mail client. As reported in an outlook-tips.net story, a problem of bad text wrapping and lost end times popped up in a July Outlook update containing a flawed hotfix originally released in April.

► What to do: The hotfix in MS Support article 2412273 should squash this nasty bug plus several others. Make sure you have Office 2007 SP2 installed before applying the patch. Clicking the “View and request hotfix downloads” link at the top of the article will take you to the hotfix download page.

2445403
Custom add-ins may crash after Outlook patch

September was apparently a difficult month for Outlook updates. After installing the Outlook 2003 patch described in MS10-064, many users reported that Adobe’s PDFMaker add-in had stopped working. More complaints showed up in Adobe’s support forum. After users removed Microsoft’s patch, the converter worked again.

► What to do: Outlook 2003 users can find more information in Support article 2458807, and they can download a hotfix in MS Support article 2445403.

MS10-079 (2344993)
Word patch leads to e-mail failures

I’m tracking a problem with the patch in MS10-079 (2344993), an MS Word update released in October. I’m getting reports from some Outlook 2007 users that, after the patch is installed, e-mail address formatting is corrupted. Replied or forwarded mail gets changed to “mailto” and, when sent, bounces back. Several folks have commented on this issue in Microsoft’s MS Exchange Server admin forums.

► What to do: If you are not affected by this problem, there’s no need to do anything. But if it does appear, consider uninstalling the update. Microsoft is working on the flaw, and I’ll update you when it’s fixed.

Adobe 9 gets an out-of-cycle fix

Adobe Reader and Acrobat version 9.4 (and earlier) users will soon see an update to version 9.41, which fixes a zero-day attack vulnerability. The patch is rated critical and applies to Windows, Mac, and UNIX systems.

As mentioned in an Adobe blog, the next scheduled round of updates will come next February — unless, of course, another unexpected vulnerability should appear.

► What to do: For more details, see Adobe security bulletin APSB10-28. And when updating, don’t forget to uncheck any toolbar offerings that might come with the update’s installation.

Apple’s iPhone, iPad, and iPod get iFixes

Apple released its much anticipated iOS 4.2 this week, and already there’s lots of chatter on an Apple forum about lost music. After installing the update, some iPad and iPhone users got the scary screen shown in Figure 1. Talk about inducing instant panic!

Figure 1. “No Content” is not what you want to see after updating your iPhone. Fortunately, the fix is usually quick and easy.

► What to do: Stay calm. The solution that worked for me — and many of the folks posting on the forum — is to re-synch your device after installing the update. All of your music should be back as it was before the update. Always make sure you back up your iPhone, iPad, or iPod before adding updates.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

Slippery Thanksgiving turkey wins round one

By Revia Romberg Ahhh, Thanksgiving in the U.S.! Outside, the leaves are changing, and we’re starting to feel that holiday spirit. It’s a time of family, friends, and gratitude — and lots of yummy food. For one day, life seems simple and uncomplicated. Unless, of course, you’re the one hosting Thanksgiving dinner. Cooking the traditional turkey can be a painstaking process — especially if you’re wrestling an enormous bird. Watch as this exasperated cook gets her Thanksgiving feast under way with a thud. Play the video

Last chance for Word 2010 Inside Out!

Our free bonus download of Microsoft Word 2010 Inside Out is coming to an end. Katherine Murray’s detailed look at Word 2010 goes beyond the basics — it provides hundreds of expert insights, troubleshooting tips, workarounds, and more.

Exclusively for Windows Secrets subscribers, O’Reilly Media is providing — free — Chapter 1, Spotlight on Microsoft Word 2010. It explores what’s new in Word 2010, how to use the Ribbon, what you need to know about the status bar, plus many other handy tips.

If you want to download this free excerpt, simply visit your preferences page and save any changes; a download link will appear.

All subscribers: Set your preferences and download your bonus
Info on the printed book: O’Reilly’s online store