What is TinyURL and how does it affect internet security?

TinyURL is a web redirection service. Its main purpose in life is to make long URL’s short (a URL is a web “address”). Here’s an example:

Sometimes you end up with a long URL such as: https://fraudo.com/2009/03/19/does-windows-safe-mode-protect-you-from-malware/

TinyURL can shorten this address for you. Try clicking on the following address: http://tinyurl.com/dfwohy

You’ll notice it takes you to the same page as the first link, but it’s much shorter to write. And why would someone want a short URL? Marketing people would argue that short URLs are easier on the eyes. And sometimes there are technical reasons – for example, Twitter only supports short messages so it’s normal to shorten URLs.

So what’s the risk?

dice If you receive an email from some company telling you to click on their link, and if you notice their link goes to a Chinese or Russian web site, you’ll be suspicious and you won’t click on it. And if you have a good anti-virus package installed it can detect the links and warn you before you click on them.

However, if the email’s links point to TinyURL you have no way of knowing if it’s legitimate (actually there is a way, keep reading). Maybe it goes to the company’s real site, maybe it goes to a hacker’s. You won’t know until you click (and usually once you click it’s too late).

Do legitimate companies really use TinyURL? Unfortunately yes. Marketing people write these newsletters, not their IT security people.

What about Twitter? Almost everyone on Twitter uses a service such as TinyURL to shorten addresses they share. When you click on these you’re taking a chance.

TinyURL isn’t the only redirection service. Here’s a list of the popular ones:

  • tinyurl.com
  • bit.ly
  • budurl.com
  • eweri.com
  • hex.io
  • idek.net
  • is.gd
  • poprl.com
  • snipr.com
  • twurl.nl
  • ub0.cc

Notice how many there are? Shortening URLs has become a popular thing to do. Also notice that international domain names are popular here, such as .io and .ly.

So what can you do?

  • Use a good web browser. In a recent hacking competition Google’s Chrome was not hacked, showing that at the moment it’s a good choice.
  • Use a good anti-virus package that also scans web pages.
  • Be cautious of shortened URLs, realise that you’ll be redirected to a different place
  • You could ask companies such as TinyURL to scan all their links but that’s not going to happen, they don’t see it as their job.
  • You could boycott all shortened URLs. That’s easier said than done and it’s not very realistic.
  • And finally, the best way to protect yourself from this is also the most troublesome, so I’ve left it to last. Services such as TinyURL do give you a tool to test a link before you click on it.

TinyURL’s Preview Feature:

TinyURL has a preview feature. It’s a good security decision to turn it on. It’s an inconvenience if you enjoy clicking on unknown links but it’s a smart move. Click here to turn on their Preview feature: http://tinyurl.com/preview.php?enable=1

Then when you click on an unknown TinyURL link, it will show you where you’re about to go. You still have to be careful about weird Chinese and Russian sites that might be hacked but at least you’ll have enough information to make that decision.

It’s not a foolproof system though. Even if you’ve enabled Preview there might be times where it doesn’t work. That’s just the way computers work, it’s technically complicated. And enabling Preview on TinyURL doesn’t help you with all the other services I listed above. There’s just too many of them at the moment.

If you’ve read this far you’ve done well. Being aware of the dangers gets you half way to being secure.

lottery wheel

Update (19 July 2011):

Google has a new URL shortening service called g.co . For now their plan is to use it for official Google sites and applications. So shortened URLs beginning with g.co should be considered safe and legitimate for now.

One thought on “What is TinyURL and how does it affect internet security?”

Leave a Reply

Your email address will not be published. Required fields are marked *