Insights and Research

Are URL Shorteners Really Dangerous?

Are URL Shorteners Really Dangerous?

There has been plenty of buzz about URL shorteners and security. URL shorteners have been described as a new attack vector since being popularized by social networks such as Twitter. I don't feel that URL shorteners are any more of a threat than their full-length counterparts, and here's why.

How URL Shorteners Work

The purpose of a URL shortener is to replace a long URL (e.g: with a shorter one (e.g: Upon clicking on, a user is redirected to via an HTTP 301 redirection:
GET /cikl0z HTTP/1.1

HTTP/1.1 301 Moved
GET /downloadwhitepaper_stateofweb-q4-2009.html HTTP/1.1

HTTP/1.1 200 OK
The browser made two requests: one to and one to

Existing Defense Mechanisms

All the existing in-browser (Google Safe Browsing in Firefox, Opera's Fraud Protection, etc.) or external (IDS, proxy, etc.) URL scanners are applied on both the initial short and redirected long URL requests. If the long URL is a known malicious site, it will be stopped whether or not the the user clicks directly on the long URL or a shortened one.
Firefox Safe Google Browsing warning on a URL after a redirection

Also, content inspection (antivirus, deep packet inspection, etc.) is applied on both requests.

The use of URL shorteners and redirections does not require any new security inspection. All of the web browser security tools in place prior to the use of URL shorteners are still relevant.

Hiding the Real URL

The main argument against URL shortening services is that users don't know which domain they are being redirected to. In our previous example, users see the host name in the link address, and do not know that they will be redirected to until after they click on the link. After the redirection, the ultimate destination URL can be seen in the web browser address bar.
The long URL is displayed in the browser address bar after redirection

How many people know the difference between a good URL and a bad URL? Even then, how can anyone be sure that a site won't serve malicious content? Many perfectly legitimate websites (Red CrossIndian government websites, etc.) have been hacked and can contain an infamous hidden iframe to spread malware. Well-known websites are no longer necessarily safer than unknown or new sites. Simply using the reputation of the hostname to decide whether a URL is safe is not a good idea.

In a post Michael wrote a year ago, he checked 100,000 TinyURL (URL shortener service) URLs. He found no links to malicious executable files, no phishing sites, and very few redirections to malicious content.

I believe the danger of URL shorteners has been overblown, mainly based on the idea that individuals are in a position to determine if a website is dangerous or not simply by looking at the final URL. Users are far better off relying on antivirus, URL denylists, and regular browser updates for security. And these tools work just fine for shortened URLs as well.
- Julien

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.