March 16, 2009

TinyURL and Security Issues WSINWIG (What You See Is NOT What You Get)

We have all seen URLs like this one:
It is, well, a bit long. Sites like and
For the security conscious among us, this represents a troubling security issue. Normally, hovering the mouse cursor over a link will show the actual URL, regardless of the text used in the link. This is a very important security tool. The following link is a little deceptive:

Click here to apply for jobs at IBM
By default, the links generated by TinyURL or obfuscate the true URL of the link – nothing shows up when you hover the cursor over them. This is like getting on an unmarked bus because someone told you it is going Downtown. Maybe it is, and maybe it isn’t. does offer an opt-in preview feature that can be activated on their website, and has created an experimental plug-in for Firefox, so there is some hope. Support on smart phones is only partial for both products. We can only hope that these options mature and previews eventually become the default behavio(u)r. We do our best to educate users to avoid clicking on active links, or at least verify them. From a security and anti-phishing perspective, eliminating the verification option is just a bad idea.

Dennis H in West Virginia, US
March 13, 2009

Homepage: Nerds On Site

Blog Home: Blog

Artile: TinyURL and Security Issues WSINWIG (What You See Is NOT What You Get)

Sort By Category