magine this, you are going through a dating site. You come across a great profile and an amazing picture…. You click or swipe and so do they and you start to get excited. You exchange messages and are ready to meet. You get there and they look sooooo different than their picture or they have stretched the facts a bit. I know, that would never happen in real life… Right? It might not really be to the level of catfishing but it is definitely not cool.
CyberSecurity takes vigilance, people hide the truth… especially evil people. You all know that you have to be careful with password length and reuse. You also know about sharing too much information over social media or with a stranger. Here is an issue that you probably don’t think of very often… URL shorteners. URL shorteners are convenient tools to condense lengthy web addresses into concise, manageable links. Services like Bitly and TinyURL offer users the ability to share URLs efficiently across platforms, from social media to email. However, beneath their convenience these services touch upon fundamental issues of privacy, trust, and data security.
1. Obscured Destination – URL shorteners is the conceal the destination URL. While this feature may seem innocuous, it opens the door to potential abuse in several ways. One of the primary things we teach in any security awareness training is to look at links either directly or by hovering over it. Malicious actors can use shortened links to disguise phishing attempts, malware distribution, or other nefarious activities. Without visibility into the actual destination, users are left more vulnerable to exploitation. We also break the habit we have been training users to look at those URL’s.
2. Data Tracking – URL shortening services often track user interactions with shortened links, collecting valuable data such as IP addresses, device information, and browsing habits. This data can be exploited for targeted advertising, surveillance, or even sold to third parties without user consent. Users unknowingly relinquish control over their privacy.
3. Security tools – Shortened URL’s not only obscure things from people but also from tools. If I can change the short URL link to mine… I can have something that is safe there originally there for tools to check and then change the content after a it has passed checks to something bad.
Some platforms shorten links without your permission. Social media like LinkedIn will shorten URL’s if they are over 26 characters. I could not find details but would love to believe that they check those URL’s before redirecting the users there like many email security devices to make sure it has not been tampered with but I don’t know.
Now there are tools out there that will check any URL shortened or regular like URLVoid, NordVPN has a link checker, VirusTotal has one and these are great and look for all sorts of evil things BUT, we all know that people are lazy and don’t want to be bothered and won’t typically go there.
The best advice if you really want to shorten is that you can often stick a URL behind text or a button making it more readable but still allowing hovering or scanning
Something else to think about if you do obfuscate a URL, you lose branding, you lose trust because users are weary of unclear URL’s, and many other side effects.
So, while URL shorteners offer convenience and brevity, they also harbor significant security risks that cannot be ignored. Please do other things to make it easier for your end users and leave the URL’s in place.
I would love to hear your comments or questions about security, go ahead and post in the comments!