Everybody spies on everybody on the internet, right? News organizations monitor users’ behavior on their sites to find out which articles do well and where visitors come from. Marketers and social media networks attempt to track your movements across the entire Internet with the help of cookies and remote content such as pictures.
But tracking people on the Internet is not difficult. Anyone can gather information about their site’s visitors simply by signing up for a URL shortening service, like Bitly, Buffer, or Owly and running their URL through the provided tool.
The user can share this shortened link in an email, social media post, or external website to accurately track how many visitors they receive from this source. The shortened URL will also provide further information about the visitors, such as their approximate location, social media channel, browser, and operating system.
Risks For Visitors
Using a shortened URL has two risks for the visitor.
Firstly, they are being tracked. This especially becomes a risk when a shortened URL link is only handed out to a single visitor, for example, in a private email or chat. As only one person is using the link, it becomes scarily easy for anybody, even without technical knowledge, to find the link user’s approximate location, browser, and operating system information. The provider of the shortened link might even be able to get the user’s IP address or correlate data with other links the user has clicked on to generate knowledge about the user’s social interactions.
This personal information could then be exploited by social engineering, for example, by posing as a customer service representative from a computer manufacturer and presenting IP and OS information as “proof” of their credentials.
Secondly, URL shorteners allow people to hide malicious links. Most users likely check a link before they click on it, but URL shorteners make it impossible to inspect or verify the link without exposing yourself to the risks of tracking, or exposure to an infected site.
Some services, such as Sniply and Start A Fire, go even further. They do not simply redirect a visitor to a site, but instead will proxy the site through their own domain. This is commonly known as a Man-In-The-Middle Attack and it allows the service to intercept and monitor all traffic between the server and the user, defeating common encryption such as HTTPS.
Sniply and Start A Fire’s Man-In-The-Middle Attack control both the user and the website they intended to visit, allowing the opportunity to intercept messages, passwords, and any other interaction. Some of this data is then made available to their users, or processed for themselves.
This can have grave security consequences for applications like banking and social media, if the end user does not carefully examine their URL and the validity of the security certificate.
Additionally, Sniply and Start A Fire do not encrypt the traffic they proxy, making the information in transit vulnerable to snooping by third parties.
Defend Against Attacks
You can mitigate the issues caused by URL shorteners by using a service like unshorten.me, which reveals the destination URL, or by opening shortened links in the Tor browser. Both options allow the user to anonymously and securely find out where the shortened link leads, though they still might reveal the exact time they looked at the shortened URL to the link’s creator.
Users need to be alert about the URLs they visit and click on, making sure that they really are visiting the official site. When it doubt, searching for the site via Google might help. It is also important to look out for valid encryption certificates by checking for the green lock in the browser’s address bar. If there is no green lock, or if the URL does not match the site you visit, no password or personal data should be entered.
URL shorteners highlight some general problems with the Internet. For example, everyone reveals their private IP address to every single site and service they connect to. This information could later be used to attack you, for example, by connecting your real world identity to your online persona (called doxing).
To protect and hide your IP address behind a proxy, use a VPN service, or the free Tor browser. While neither entirely eliminate the information visible to a URL shortener, they will remove your physical location. In any case, always make sure your operating system and browser are up to date to avoid becoming a victim of malware.
Arthur Baxter is an Operations Network Analyst at ExpressVPN, a leading privacy advocate whose core mission is to make it easy for everyone to use the Internet with security, privacy, and freedom. They offer 100+ VPN server locations in 78 countries. They regularly write about internet security and privacy at the ExpressVPN blog.