104

There are a lot of different URL shorteners out there, like Bitly or TinyURL. Besides their main purpose of shortening a link, they also:

  • obfuscate the actual URL
  • collect statistics about the usage of the short link

From the obfuscation, at least two risks arise:

  • The actual URL might have been obfuscated to hide its suspicious domain. While people might click on a link of a well-known link shortening provider, they probably would not access a URL that looks like paypal.secure-sfksjdfs.com, AMAZ0N.COM or ajhssafskjh.ru.

  • The actual URL might have been obfuscated to hide the query string that might contain identifying data. This could be personal data like in this URL:

    https://completelyimaginary.url/[email protected]

    Or an ID that might be relatable to you (e. g. in case it was only sent to you):

    https://completelyimaginary.url/index.html?id=T3X3MAPNEIYAKAZPHNC4

    Or it may contain information that has been obfuscated even more (Base64):

    https://completelyimaginary.url/index.html?url=aHR0cHM6Ly9iaXQubHkvM2t3UVYyMA--

To avoid these risks, can I safely preview a short link to be able to inspect the actual URL before opening it? In other words, can I get the target URL without actually accessing it?

Improve this question
4
  • 6
    What threat model is it? Target site injecting malware to the browser, or long URL to contain sensitive information about yourself that you don't like them to collect? E.g. if your email address is encoded in the URL, you are telling spammers your address is correct and actively monitored Commented Sep 23, 2021 at 8:34
  • @usr-local-ΕΨΗΕΛΩΝ I'm focussing on the obfuscation part, so both your threat models (and maybe more) are applicable. Commented Sep 23, 2021 at 17:16
  • 3
    If the provider wants to collect statistics, there's no way to avoid that. All you can do is obfuscate your metadata. Commented Sep 23, 2021 at 22:32
  • @usr-local-ΕΨΗΕΛΩΝ makes a salient point about the thread model. What if it links to vaccine misinformation and you read it and believe it and don't get your shots. You could lose your life. Very dangerous. Commented Sep 25, 2021 at 0:29

5 Answers 5

Reset to default
148

APIs

Most of the link shortening providers offer a possibility to preview the URL a short link will redirect to. Most times, it is sufficient to modify a little detail of the short link:

Bitly

Add a plus sign (+) to the short link:

https://bit.ly/3kwQV20 -> https://bit.ly/3kwQV20+

Or paste the link into Bitly's link checker.

Cuttly

Add an at sign (@) to the short link:

https://cutt.ly/YEh65VC -> https://cutt.ly/YEh65VC@

is.gd

Add a hyphen sign (-) to the short link:

https://is.gd/vzC7mi -> https://is.gd/vzC7mi-

Tinycc

Add an equal sign (=) to the short link:

https://tiny.cc/pijs001 -> https://tiny.cc/pijs001=

TinyURL

Add a plus sign (+) to the short link:

https://tinyurl.com/3yw559cj -> https://tinyurl.com/3yw559cj+

Or add preview as a subdomain to the short link:

https://tinyurl.com/3yw559cj -> https://preview.tinyurl.com/3yw559cj

Command line tools

Not all link shortening providers offer an API to preview a short link. Other link shortening providers in contrast might preview too much by not only displaying the expanded URL but also rendering a preview image of the URL which requires following the link already.

To circumvent this, you can use command line tools to get the expanded URL of a short link. Technically, every link shortening provider uses URL redirection to forward you to the expanded URL. This is a concise technical process, that is not as ambiguous as whatever happens, when you use the preview API of a link shortening provider.

You can instruct command line tools to access a short link in the most minimal way by only getting the HTTP headers and thus the info about the redirection, but not to follow any redirections. This way, you can get the expanded URL without visiting it, probably for all link shortening providers, independently of potentially existing preview APIs.

curl

curl does not follow redirections by default. Just add --head to only request the header and --silent to get a less verbose output:

curl --head --silent https://bit.ly/3kwQV20 | grep -i ^Location:

Example output:

location: https://security.stackexchange.com/q/255448/230952

--head and --silent can be abbreviated with -Is.

wget

Alternative with wget:

wget --max-redirect=0 --server-response --spider https://bit.ly/3kwQV20 2>&1 | grep -i '^\s*Location:'

wget will follow redirections by default, so you have to limit it with --max-redirect=0. Furthermore, it will write to the error stream, so you have to redirect that to be able to grep it. Example output:

Location: https://security.stackexchange.com/q/255448/230952

If the target looks like another redirection, then you can re-run the command, changing --max-redirect=0 to --max-redirect=1. This makes wget stop before the second redirect, etc.

PowerShell

Alternative with Invoke-WebRequest:

(Invoke-WebRequest -Uri https://bit.ly/3kwQV20 -Method Head -MaximumRedirection 0 -ErrorAction SilentlyContinue).Headers.Location

Or more abbreviated:

(iwr https://bit.ly/3kwQV20 -Me H -Ma 0 -EA Si).Headers.Location

Example output:

https://security.stackexchange.com/q/255448/230952

Be aware that Windows PowerShell probably uses curl and wget as aliases for Invoke-WebRequest. If you really want to call curl, write it out as curl.exe:

curl.exe --head --silent https://bit.ly/3kwQV20 | Select-String -Pattern '^Location:'

3rd party URL checkers

If you do not have access to the above command line tools and you do not know a preview API of a particular link shortening provider, you can also use online services to expand the URL for you. Be aware that you probably do not know how exactly they work. So they might even access the target URL, which might be undesirable in some threat models. Example websites:

Conclusion

While many link shortening providers offer APIs to expand a URL, you have to remember the correct API to actually do it. As not all link shortening providers even offer an API for previews, a more generic approach is to use command line tools. They are probably built-in tools of your OS anyway (curl/wget on Linux/Unix and PowerShell on Windows) and therefor quite easy to access.

Expanding the URL helps you to tackle the threat from URL obfuscation, but be aware that there is currently no way to querry the expanded URL from a link shortening provider without them noticing it. So usage statistics cannot be avoided, when interacting with a short link.

Improve this answer
11
  • 11
    These are good solutions and I enjoyed learning about the APIs. These do not address OPs bullet point about collecting statistics. If the URL shortener is unique to a particular user or is collecting stats about requests. I think this is still the best answer though, since there isn't a way to unfurl a short URL without actually calling the shortener service since most services generate the short URL with a token. Commented Sep 22, 2021 at 15:21
  • 25
    If you omit the -L option from the curl command line, just the first redirect is resolved, so the target website doesn't get to know it. (The link shortener service still can log this, though.) Commented Sep 22, 2021 at 22:30
  • 6
    For wget you can use wget --max-redirect=0 https://bit.ly/3kwQV20 This tells wget to not follow the redirect, but it will print the redirect location. If the redirect points at another redirect, then increase the 0 Commented Sep 23, 2021 at 12:43
  • 1
    @PaŭloEbermann: That (with CSM's wget version) should be an answer not buried in a comment. Commented Sep 23, 2021 at 14:09
  • 2
    @Freiheit I guess OP can just edit their original question to allow their self-answer to fit better ;) Commented Sep 23, 2021 at 14:44
9

collect statistics about the usage of the short link

There is no way to prevent that. In order to reveal the target link one must enquire the URL shortener service (e.g. bit.ly) in order for them to disclose the HTTP Location header, as the most-voted answer applies.

The shortener automatically collects statistics, so you have to 1) trust it acts neutrally and 2) care to what extent it exposes such statistics to the owner of the link

Sometimes, phishers want to generate long links that contain personally-identifiable information (e.g. https://name-of-the-bank.password-recovery-service.xxx/recovery?whoToGreet=John+Doe) which gets shortened to a unique URL.

Now if the shortener provides statistics API it is possible to see if a unique link has been checked ever. I doubt that the shortener also reveals the IP address of every requester (but they collect that!)

Improve this answer
4

URL scanners and sandboxes, like URLScan.io, address the obfuscation and safety in the sense that that the link is not opened in your browser but rather analyzed in its sandbox. It gives you data gathered and evaluated about the website.

However, I don't know (and I doubt) if it addresses the statistics part of your question.

Improve this answer
1

The other answers already address tools that can resolve the redirect without visiting the sites, but if you:

  • Want to actually load the site yourself in a sandboxed environment while hiding your IP / location / unique browser fingerprint (domain names don't tell you everything),
  • Want to resolve any redirects hidden behind the shortener (such as for investigating scam redirect chains),
  • Aren't concerned about information in the link itself being traced back to you (usually unique IDs as parameters, which you could optionally prune)

You could try Tor Browser.

It's a modified version of Firefox which utilizes the open-source Tor onion router to hide your IP by bouncing through volunteer nodes around the world. It is designed for anonymity so if you use it as intended, anything which wasn't given to the website via the link parameters or anything you enter into it should theoretically go poof once you close the window. A basic visit should only tell the website the URL you used, the exit node you went through (which thousands of users with the same generic fingerprint use every day), and the time you visited.

Further reading: Tor Overview

Improve this answer
0

The URL shortener v.gd/ gives the recipient the full URL and a link to click on when you access the shortened URL. The link presented can take the visitor to the intended target of the shortened URL. V.gd provides this intermediate webpage on their site for users to inspect the full target before choosing to proceed.

It's possible the site collects statistics when a user uses their shortened URL.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.