The Insecurity of URL Shortening

If you are reading this blog you probably know what URL shortening is, but for those of you who don’t (and that’s okay) it is a service that takes a normal URL and shortens it (pretty simple huh?). Lately there has been a lot of talk about URL shortening and the possible security issues regarding it.

The first (and sometimes only) reason I hear when I ask about the insecurity of URL shortening services is the possibility that someone would post a shortened link that points to a malicious website. Obviously no one would click on this link if they could see the URL it is pointing to but adding that extra layer of the URL shortening service increases the chances that someone would clicking that link. But, if you are careful you can still be relatively safe.

I don’t know about all of you but I don’t click on shortened URLs unless they are either in an email or in a tweet, and they must be posted by someone I either know or trust. I don’t go around clicking on shortened URLs willy nilly, and neither should you. In fact when it comes to email you probably shouldn’t click on them at all, unless you were expecting to get a link from the person that sent it to you.

The other reason that seems to crop up often is the idea that someone would send you a shortened URL that is hiding an affiliate link. Affiliate links are great ways to make money but some people get a little upset when they are “tricked” into buying a product through an affiliate link that doesn’t appear as one. The fact is, if you purchased something through someones link they probably should get a kick back for it, for all intents and purposes they convinced you to buy something so why not let them have a commission for that sale? The worry that these complainers have is that the person posting the shortened affiliate link would lie about the quality or features of the product in an effort to convince you to buy it. But, we are all adults (last time I knew you had to be an adult to get a credit card, which is necessary to purchase something online), why can’t we take responsibility for our own purchases? Do your research before you buy anything online and make sure you are getting opinions about it from a reputable source, affiliate link or not. A lot of people using affiliate links give their honest and true opinon (but let’s not get into that can of worms).

The best thing you can do to keep yourself safe when clicking on shortened URLs is to only click on them if the person who posted them is trusted, and don’t click on them if there isn’t any good reason for the link to be shortened in the first place, Twitter’s character limit is a good reason to shorten a URL, there isn’t any reason anyone should shorten URLs posted on a forum or on a social bookmarking site.

The two things that make my suggestion a little more difficult to completely trust in is the possibility that the trusted person’s account or the URL shortening service itself is compromised. This poses a much more serious problem but unfortunately the only thing you can do to keep yourself safe from those situations (that is if you want to continue using shortened URLs) is to use up to date software.

But there are a couple of things that services like Twitter can do to keep you safe from shortened URLs pointing to malicious websites. Twitter could unshorten URLs sent to the service and only keep them short for users that receive tweets via SMS where there are character limits . Twitter could also build its own URL shortening service that would (seemingly) be much harder to hack than a smaller “rinky-dink” URL shortening service that might not have security on its mind as much as Twitter does. An unintended (but fantastic) consequence of Twitter implementing any of these suggestions would be that if a URL shortening service ever fails or ceases to exist the links would still work, because Twitter would have saved them in their database as unshortend versions.

But, no matter what anyone does URL shortening services will always be the subject of scrutiny by the security conscious. There is always a trade off of security for the sake of convenience, so if you want to continue using shortened URLs you will have to deal with a little bit of risk.