Scammers use Google Maps to skirt link-shortener crackdown Scam sites have been abusing a little-known feature on Google Maps to redirect users to dodgy websites. This according to security company Sophos, who says a number of shady pages are being peddled to users via obfuscated Maps links. According to security shop Sophos scammers are using the Maps API as a defacto link- …
Why do we need link shorteners anyway. Handy if you have to type a URL in by hand but it's a machine that is happy handling long URLs in links. I want to see where the link goes FFS. That and email links where the underlying URL doesn't match the text that looks like a URL. Even UK police do that in their email warnings about scams.
Maybe because of http://www.thelongestlistofthelongeststuffatthelongestdomainnameatlonglast.com/wearejustdoingthistobestupidnowsincethiscangoonforeverandeverandeverbutitstilllookskindaneatinthebrowsereventhoughitsabigwasteoftimeandenergyandhasnorealpointbutwehadtodoitanyways.html
It's handy when some forums, email clients, messaging systems break the VeryLong URL into bits to fit on each line and only the first bit is given the anchor tag which borks the whole URL business.
I don't use URL shorteners and I never click on them anyway. If I can't see and know where they are pointing at I won't "engage the user experience" </MarketingMode>
Preferred use:
https://www.google.com/maps/dir/Menlo+Park+Caltrain+Station,+Menlo+Park, +CA,+USA/San+Francisco+International+Airport+(SFO),+San+Francisco,+CA+94 128,+USA/Young+Ct,+San+Francisco,+CA+94129,+USA/@37.6234356,-122.4719716 ,11z/am=t/data=!4m23!4m22!1m5!1m1!1s0x808fa4ae453a8637:0xa0d39978eada388 a!2m2!1d-122.1819487!2d37.4541935!1m5!1m1!1s0x808f778c55555555:0xa4f25c5 71acded3f!2m2!1d-122.3789554!2d37.6213129!1m5!1m1!1s0x808586e29c7dfb41:0 xb3504aa846853a9f!2m2!1d-122.4787696!2d37.7922186!2m2!2b1!3b1!3e0?shortu rl=1&dg=dbrw&newdg=1
Who could possibly want to use: https://goo.gl/maps/nyJ2bwBj3xT2
The issue is not utility - these things are useful. The issue is security and trust.
The only way to find out where a particular short-URL goes is to try and access it, so either your browser would have to try and access every URL in a page before you read it, or there'd have to be a list of URL shorteners so that the browser only had to check out some of the links on the page.
curl https://xza.fr/$/TESTX
^ that's as simple as it is with my new URL shortener: xza.fr
- all links expire after 100000 epoch seconds (approx 1 day)
- TLS v1.2 + perfect-forward-secrecy only with HSTS preload embedded in your browsers soon
- 100% javascript free
- open source
- no logs, other than default nginx settings !
- read more: https://xza.fr/public/htm/about.htm
i started working on it before google announced they were shutting theirs down !
Maybe there's a market for a URL-shortening service that doesn't auto-redirect. Instead it pops up an alert giving the real target and asks if you want to go there.
It wouldn't help the gullible and/or stupid, who'd say "Yeah, of course I want to go to fakebank.com" or those who automatically click through warnings. But for some of us it would be useful. It might even be a way for goo.gl to keep going.
That's what I was bringing up earlier. If they spelled it out for you, then you have a chance to change your mind. It's the redirect-you-blindly that makes it all dangerous. If there weren't a legitimate need to handle moves, we wouldn't have to keep redirects in the HTML standard.
TinyURL offers previewing, though they don't promote it as much as they might. https://tinyurl.com/ybdhn32u autoredirects but https://preview.tinyurl.com/ybdhn32u will take you to a tinyurl.com page showing the destination.
It seems individual users can automatically preview all tinyurl links if they install a cookie in their browser. https://tinyurl.com/preview.php
bit.ly does too, just add a plus symbol (+) on the end of any bit.ly link and you can see the full redirect url, the meta info for the redirect page and the stats for the number of clicks. Makes for interesting viewing when seeing how many people click on some dubious links on Twitter etc.
I know that short links are usually somewhat helpful, so I usually reserve a directory at root of the web server for such a system. For example, example.com/url/* is a shortened link, and I can make it clear what they'll see at that page and logical. People still know that it's my site they're contacting, and although the links may be longer than some of the shorteners out there, they can be quite short because there is no competition that drives up the key length and they will fit into tweets or short messages should someone want to send them.
That's a thought at least. It could even be automated somewhat so that each public-facing page has some kind of random key to it which can then be internally spidered and symlinked in some "key" directory off the root to allow for shortened SMS-friendly URLs that still give you a good idea where you're going.
marketing and staff training in a uk retail bank I used to work at was using shorteners for <internal> urls.
they didn't think of of the fact that the url shortener might get hacked and someone spin up a perfect copy of the website (as tends to happen with bank sites, don't y'know) with god knows what on it. that and putting info about internal DNS on public shortening service. fortunately infosec found out about it and killed it.
AC for the obvious reason.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
