URL shorteners

Widespread use of instant messaging tools, microblogging services and other social media with character limitation functions has led to a generalisation of shortened links (URLs) to share web addresses. However, when we click on a short URL we cannot be sure of where it will point to, and this may entail a risk for our privacy. Therefore, special caution is required before clicking on any shortened link-

User Internet browsing experiences are in constant evolution due to the continual development of new web services or changes in browser functions which should be designed with privacy by default settings, and appropriately inform users of its possible implications for privacy and data protection.

Blog - Acortadores de URL 1

 

I.    URL shorteners

Due to development of microblogging, such as twitter, and generalised use of instant message service, a wide range of link shortening appeared on the internet. Those services allow to replace the typically long URL of a website by a shortened version, much more user-friendly, which also allows access to the original site. For example, the URL https://www.aepd.es/es/areas-de-actuacion/innovacion-y-tecnologia could be replaced by https://tinyurl.com/ueet-aepd, which is much shorter and easy to integrate in a message or tweet.

It consist on apparently innocent redirection services, so that when someone clicks on the shortened link they are redirected to the original site.

URL shorteners

Figure 1: Access to a website with/without URL shortener

As it can be observed in the figure, access to a website without a URL shortener is direct, that is, the user’s device obtains a direct response from the service it intends to access.

However, when using URL shorteners, an intermediary is being used to access the intended final server. In the best-case scenario, this intermediate will only redirect us to the target service, but in other cases it may perform other functions that entail a privacy hazard. In fact, most services are designed to enable user monitoring.

Below, there is an example of the monitoring information regarding a specific user that may be provided by these type of services:

Blog - Acortadores de URL 3
Blog - Acortadores de URL 4
 
II.    Privacy hazards

Some of the risks we may be exposed to when clicking on a shortened links are described below:

  • In the first place, we ignore where this shortened link leads; it is possible that it links to hazardous sites that mimic the website of another organization (phishing) or that it launches a malware download.
  • Introducing an intermediary when accessing a website involves providing this intermediary with some of our personal data (our IP as well as other information about our device and its operating system) as well as the fact that we are interested in accessing a particular website.
  • We are not aware of the number of redirections (each an intermediary) that we can be guided through before arriving at the target website.
  • Most link shortening services are prepared to carry out user monitoring and profiling functions, mostly for the purposes of online marketing, but these functions can be easily recycled to other purposes, such as geolocating an user by means of their IP.
  • Some intermediaries included in the process may involve more complex user monitoring and processing techniques, such as those based on cookies, fingerprinting or others.

Although using shorteners may be beneficial for users, the following precautionary measures should be followed in order to avoid as much as possible tracking measures to be performed on users.

The first protection measure is to be aware of and understand those risks, and when receiving a shortened link, considering the following measures:

  • In general terms, distrust shortened links and do not open then immediately, especially when they come from an unreliable source or from a chain message. If suspicious, it is best to leave them unopened.
  • Verify the link by means of an external service such as virustotal.com, urlxray.com or urlex.org, in order to find out whether it includes more redirections than foreseen and, if it does, which ones.
  • Do not provide your password or any other personal data in a banking page, online shop or any other service reached by means of a shortened link. Ideally, you should access the site again ensuring that you introduce the verified address for the relevant service.