Page 1 of 2 12 LastLast
Results 1 to 15 of 25
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    375
    Thanks
    1
    Thanked 29 Times in 24 Posts



    TOP STORY

    Avoid the security risk of shortened URLs


    By Fred Langa

    The compact URLs produced by services such as TinyURL, bit.ly, is.gd, and many others are convenient and save space, but they can also be used to hide the identity of malicious sites.

    Fortunately, there are several ways to peek behind a shortened URL to see exactly where the link will take you — before you click it!

    The full text of this column is posted at WindowsSecrets.com/2010/25/11/02 (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-19 at 13:48.

  2. #2
    New Lounger
    Join Date
    Nov 2010
    Location
    Colorado Springs, CO
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Another trick I sometimes use is to use Rex Swain's HTTP Viewer, available at http://rexswain.com/httpview.html. Just type the shortened URL into the "URL" box, hit the "Submit" button, and let the script show you exactly where the shortened URL leads to. As long as it's an HTTP redirect, the script will follow it.

    HTH,
    Tom
    Tom Brownsword, CISSP, GCIA, Security+, ITILv3
    Certified Computer Security Professional
    Colorado Springs, CO
    http://www.TheBusinessProtector.com

  3. #3
    New Lounger
    Join Date
    Aug 2010
    Location
    Bristol, UK
    Posts
    15
    Thanks
    2
    Thanked 0 Times in 0 Posts
    There's a review of the Firefox extension that links to a blog stating this plug-in sends data on every page you visit to bit.ly. I haven't seen this refuted anywhere. Hardly the sort of thing you want to be suggesting that your readers install...

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Florida, USA
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I use all the browsers but right now using IE9 Beta.... the real 'friendly url by default shows on the bottom in a bubble in ie9 by simply hovering the mouse pointer over the link.

  5. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Milan
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Good point Fred and worth reminding people. In my case I use (only) Firefox (way ahead of IE all versions) and just by hovering the cursor over the link, even e Tiny url. Firefox displays the full address. This is true I find in emails I receive from my webmail client. The whole point about false links or email addresses needs reiterating to the public as it is becoming increasingly difficult to knwo what's going on.

  6. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    UK
    Posts
    19
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Phil Leahy View Post
    There's a review of the Firefox extension that links to a blog stating this plug-in sends data on every page you visit to bit.ly. I haven't seen this refuted anywhere. Hardly the sort of thing you want to be suggesting that your readers install...
    I too noted this and was deterred from installing the addon. A comment from WS would be much appreciated :-)

  7. #7
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    U.K.
    Posts
    113
    Thanks
    0
    Thanked 19 Times in 14 Posts
    I have just hovered over each of the shortened links and immediately whilst hovering saw the destination.
    No copy and paste;
    no adding a '+' or any other nonsense

    The destination appeared immediately in the address bar.

    Before hovering the address bar displayed
    http://windowssecrets.com/comp/101125

    Whilst Hovering over http://tinyurl.com/6u5ba it displayed
    http://windowssecrets.com/comp/1... > http://windowssecrets.com/links/%P20d/ etc etc

    I think this may be a new feature built into Firefox 4.0 Beta 7.

    Regards
    Alan

  8. #8
    New Lounger
    Join Date
    Mar 2010
    Location
    Apostolove, Ukraine
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I saw your links in MS Outlook 2007 and mousing over them revealed the true URLs. As I never see these while browsing, the ones I do encounter (thru the email) don't bother me.

    While going to your website I did see you had a tiny url at the top on the right side. Since I am in firefox I right-clicked on it and scrolled down to the NoScript tab which opened another drop down showing the real URL and any others attached to the link.

  9. #9
    New Lounger
    Join Date
    Dec 2009
    Location
    South Florida, USA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    If you're using Chrome as your browser, right-click on the URL and choose "Inspect Element."
    It will open a window at the bottom of the screen with the hyperlink and its resultant URL highlighted

    Walt

  10. #10
    New Lounger
    Join Date
    Sep 2010
    Location
    Chico, California, USA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Why not just right-click the short url and look at properties. That shows the real link

  11. #11
    New Lounger
    Join Date
    Dec 2009
    Location
    Ottawa, Ontario, Canada
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Richard Eastman at
    http://blog.eogn.com...l-links.html#tp
    has an interesting article in which he claims that Google's shortening has a security advantage.

  12. #12
    New Lounger
    Join Date
    Feb 2010
    Location
    Atlanta, GA
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Good article. However, for those reporting being able to see the true destination by hovering over one of the short URLs it is not because of a feature of your email client or browser. It's because the HTML email has the actual long URL coded into it.

    For example, here's the actual HTML from first example in the newsletter email:

    http://bit.ly/10Sjt

    Same holds true for the Web version.

    Ed

  13. #13
    New Lounger
    Join Date
    Nov 2010
    Location
    Elgin, Oregon
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Information below was gathered long ago from http://support.microsoft.com/?id=833786 and gives a method of avoiding going to any spoofed URL's, not just shortened URL's.

    Copy and paste the following javascript alerts in a text file and keep it on your desktop. To check out the validity of any URL, copy and paste either of them into the browser's address bar and press "enter".

    javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");

    javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");

    Also, in the scenarios that Microsoft has tested, you can use the History Explorer Bar in Internet Explorer to help identify the URL of a Web page. Cllick History. Compare the URL in the Address bar with the URL that appears in the History bar. If they do not match, the Web site is likely misrepresenting itself and you may want to close Internet Explorer.

  14. #14
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts
    I use a FF addon called UntinyFox ( https://addons.mozil...ox/addon/10181/ ) which allows me to see a long URL in the FF status bar by hovering over the short link.

    See http://min.us/iRas6.jpg

    If you go here:
    http://www.untiny.me/extra/#addon=0

    there are numerous variations on this code for Chrome, Opera, a bookmarklet and what looks to be support for IE8 (which might work in IE9).

  15. #15
    New Lounger JackSprat's Avatar
    Join Date
    Feb 2010
    Location
    Toronto, ON, Canada
    Posts
    19
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Willem J Kegge View Post
    Why not just right-click the short url and look at properties. That shows the real link
    I agree.. that is by far the easiest way to check ANY link!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •