Can I safely preview a short link?

Question

There are a lot of different URL shorteners out there, like Bitly or TinyURL. Besides their main purpose of shortening a link, they also:

obfuscate the actual URL
collect statistics about the usage of the short link

From the obfuscation, at least two risks arise:

The actual URL might have been obfuscated to hide its suspicious domain. While people might click on a link of a well-known link shortening provider, they probably would not access a URL that looks like paypal.secure-sfksjdfs.com, AMAZ0N.COM or ajhssafskjh.ru.
The actual URL might have been obfuscated to hide the query string that might contain identifying data. This could be personal data like in this URL:
```
https://completelyimaginary.url/index.html?mail=yourname@gmail.com
```
Or an ID that might be relatable to you (e. g. in case it was only sent to you):
```
https://completelyimaginary.url/index.html?id=T3X3MAPNEIYAKAZPHNC4
```
Or it may contain information that has been obfuscated even more (Base64):
```
https://completelyimaginary.url/index.html?url=aHR0cHM6Ly9iaXQubHkvM2t3UVYyMA--
```

To avoid these risks, can I safely preview a short link to be able to inspect the actual URL before opening it? In other words, can I get the target URL without actually accessing it?

What threat model is it? Target site injecting malware to the browser, or long URL to contain sensitive information about yourself that you don't like them to collect? E.g. if your email address is encoded in the URL, you are telling spammers your address is correct and actively monitored — usr-local-ΕΨΗΕΛΩΝ, Sep 23 '21 at 08:34
@usr-local-ΕΨΗΕΛΩΝ I'm focussing on the obfuscation part, so both your threat models (and maybe more) are applicable. — stackprotector, Sep 23 '21 at 17:16
If the provider wants to collect statistics, there's no way to avoid that. All you can do is obfuscate your metadata. — OrangeDog, Sep 23 '21 at 22:32
@usr-local-ΕΨΗΕΛΩΝ makes a salient point about the thread model. What if it links to vaccine misinformation and you read it and believe it and don't get your shots. You could lose your life. Very dangerous. — emory, Sep 25 '21 at 00:29

stackprotector · Accepted Answer · 2021-09-26T08:34:48.480

144

Most of the link shortening providers also offer a possibility to preview the URL a short link will redirect to. Most times, it is sufficient to modify a little detail of the short link:

Bitly

Add a + sign to the short link (source):

https://bit.ly/3kwQV20 -> https://bit.ly/3kwQV20+

Cuttly

Add a @ symbol to the short link:

https://cutt.ly/YEh65VC -> https://cutt.ly/YEh65VC@

is.gd

Add a - (hyphen) sign to the short link:

https://is.gd/vzC7mi -> https://is.gd/vzC7mi-

TinyURL

Add a + sign to the short link:

https://tinyurl.com/3yw559cj -> https://tinyurl.com/3yw559cj+

Or add preview as a subdomain to the short link:

https://tinyurl.com/3yw559cj -> https://preview.tinyurl.com/3yw559cj

If the link shortening provider does not offer a way to preview the URL, you can also use the following tools to get the URL to which a short link will redirect to. They all have in common that they will only download the headers of the short link and will not follow the URL the short link points to. Be aware that your access may be logged by the link shortening provider and it also may be added to the statistics of the short link usage.

curl

curl does not follow redirects by default. The option -I tells it to only download the headers:

curl -sI https://bit.ly/3kwQV20 | grep -i Location

Output:

location: https://security.stackexchange.com/q/255448/230952

wget

Alternative with wget:

wget -S --spider --max-redirect=0 https://bit.ly/3kwQV20 2>&1 | grep -i Location

wget will follow redirections by default, so you have to limit it by --max-redirect=0. Furthermore, it will write to the error stream, so you have to redirect that to be able to grep it. The output will be:

Location: https://security.stackexchange.com/q/255448/230952

If the target looks like another redirection, then you can re-run the command, changing --max-redirect=0 to --max-redirect=1. This makes wget stop before the second redirect, etc.

PowerShell

Alternative with Invoke-WebRequest:

(Invoke-WebRequest -Uri https://bit.ly/3kwQV20 -Method Head -MaximumRedirection 0 -ErrorAction SilentlyContinue).Headers.Location

Or more abbreviated:

(iwr https://bit.ly/3kwQV20 -Me H -Ma 0 -EA Si).Headers.Location

Output:

https://security.stackexchange.com/q/255448/230952

URL Checkers

If you don't have access to the above tools, you can also use online services to do it for you. Be aware that you probably don't know how exactly they work. So they might even access the target URL, which might be undesirable in some threat models. Example websites:

edited Sep 26 '21 at 08:34

answered Sep 22 '21 at 06:55

stackprotector

1,621
3
6
15

9

These are good solutions and I enjoyed learning about the APIs. These do not address OPs bullet point about collecting statistics. If the URL shortener is unique to a particular user or is collecting stats about requests. I think this is still the best answer though, since there isn't a way to unfurl a short URL without actually calling the shortener service since most services generate the short URL with a token. – Freiheit Sep 22 '21 at 15:21
25

If you omit the `-L` option from the curl command line, just the first redirect is resolved, so the target website doesn't get to know it. (The link shortener service still can log this, though.) – Paŭlo Ebermann Sep 22 '21 at 22:30
curl() and wget are useful tools, but you can also just use a disposable VM. Beware that if this is in your corporate inbox it may be an audit, be creative with the user agent string. – mckenzm Sep 22 '21 at 22:57
6

For `wget` you can use `wget --max-redirect=0 https://bit.ly/3kwQV20` This tells wget to not follow the redirect, but it will print the redirect location. If the redirect points at another redirect, then increase the `0` – CSM Sep 23 '21 at 12:43
1

@PaŭloEbermann: That (with CSM's wget version) should be an answer not buried in a comment. – R.. GitHub STOP HELPING ICE Sep 23 '21 at 14:09
2

@Freiheit I guess OP can just edit their original question to allow their self-answer to fit better ;) – maxathousand Sep 23 '21 at 14:44
@maxathousand I'm definitely not done yet, just give me some time to complete it ;-) PaŭloEbermann and CSM, I encourage you to either edit your excellent suggestions in or add your own answers, just to record the contribution properly. – stackprotector Sep 23 '21 at 14:53
Oof, the powershell syntax is so much worse than `curl` or `wget`. Did you get that right on the first attempt or did you go through some trial and error? – Džuris Sep 23 '21 at 21:28
@Džuris it's also aliased as `wget`, with most of the same options working – OrangeDog Sep 23 '21 at 22:31
@Džuris While PowerShell often requires some sort of _verbose_ code (which allows abbreviations, see my edit), it has the advantage of working with .NET objects. So you rarely need to use tools like `grep`, `sed` or `awk` to extract a particular information from an output. You can just access your desired information by traversing an object hierarchy. – stackprotector Sep 24 '21 at 06:56
Use `grep -i ^Location:` instead of `grep -i Location` to make the filter more reliable. – pabouk - Ukraine stay strong Sep 24 '21 at 12:57

usr-local-ΕΨΗΕΛΩΝ · Answer 2 · 2021-09-24T13:43:32.310

collect statistics about the usage of the short link

There is no way to prevent that. In order to reveal the target link one must enquire the URL shortener service (e.g. bit.ly) in order for them to disclose the HTTP Location header, as the most-voted answer applies.

The shortener automatically collects statistics, so you have to 1) trust it acts neutrally and 2) care to what extent it exposes such statistics to the owner of the link

Sometimes, phishers want to generate long links that contain personally-identifiable information (e.g. https://name-of-the-bank.password-recovery-service.xxx/recovery?whoToGreet=John+Doe) which gets shortened to a unique URL.

Now if the shortener provides statistics API it is possible to see if a unique link has been checked ever. I doubt that the shortener also reveals the IP address of every requester (but they collect that!)

score 4 · Answer 3 · edited Sep 24 '21 at 08:39

4

URL scanners and sandboxes, like URLScan.io, address the obfuscation and safety in the sense that that the link is not opened in your browser but rather analyzed in its sandbox. It gives you data gathered and evaluated about the website.

However, I don't know (and I doubt) if it addresses the statistics part of your question.

edited Sep 24 '21 at 08:39

schroeder

123,438
55
284
319

answered Sep 24 '21 at 04:29

Gabriel

41
1

score 1 · Answer 4 · answered Sep 24 '21 at 08:25

The other answers already address tools that can resolve the redirect without visiting the sites, but if you:

Want to actually load the site yourself in a sandboxed environment while hiding your IP / location / unique browser fingerprint (domain names don't tell you everything),
Want to resolve any redirects hidden behind the shortener (such as for investigating scam redirect chains),
Aren't concerned about information in the link itself being traced back to you (usually unique IDs as parameters, which you could optionally prune)

You could try Tor Browser.

It's a modified version of Firefox which utilizes the open-source Tor onion router to hide your IP by bouncing through volunteer nodes around the world. It is designed for anonymity so if you use it as intended, anything which wasn't given to the website via the link parameters or anything you enter into it should theoretically go poof once you close the window. A basic visit should only tell the website the URL you used, the exit node you went through (which thousands of users with the same generic fingerprint use every day), and the time you visited.