Link previews are a feature where SNS and messaging apps display a preview of link content before users click, allowing them to grasp the destination's overview in advance. Major platforms including Facebook, X (formerly Twitter), LINE, Slack, and iMessage all implement link preview functionality, displaying titles, descriptions, and thumbnail images retrieved from OGP (Open Graph Protocol) meta tags. However, this convenient feature can create serious security risks when combined with short URLs. A 2024 study by Citizen Lab (University of Toronto) found that 15 out of 20 major messaging apps transmit users' IP addresses to destination servers during link preview generation, raising privacy concerns. Since short URLs can conceal the final destination through redirects, they can become a breeding ground for "preview spoofing" attacks where the information displayed in previews differs from the actual destination. This article explains the technical mechanisms of link previews and systematically organizes security risks and countermeasures related to short URLs.
The link preview generation process can be broadly classified into three architectures depending on the platform. The first is the "sender-side generation" approach, where the sender's device accesses the link destination to retrieve OGP information and attaches the preview data to the message. iMessage and Signal adopt this approach. The second is the "server-side generation" approach, where the platform's servers access the link destination to retrieve OGP information. Facebook, X, and LinkedIn use this method. The third is the "receiver-side generation" approach, where the recipient's device accesses the link destination. This approach carries the highest privacy risk as it exposes the recipient's IP address to the destination. When short URLs are involved, preview generation requests first reach the short URL service's server, then are forwarded to the final destination through redirects. During this process, the short URL service can record the user agent of preview generation requests, identifying which platform generated the preview. Web security books are available on Amazon.
Preview spoofing attacks work by dynamically switching the short URL's redirect destination. The attacker first sets a legitimate website (such as a major news site article) as the short URL's redirect destination. When SNS or chat apps generate link previews, the legitimate site's OGP information (title, description, thumbnail) is retrieved, displaying a trustworthy preview. After the preview is generated and cached, the attacker changes the redirect destination to a phishing site or malware distribution site. Users trust the legitimate site information displayed in the preview and click the link, but are actually directed to a malicious site. According to APWG's (Anti-Phishing Working Group) "Phishing Activity Trends Report" (Q4 2024), 18.3% of phishing attacks used short URLs, an increase of 4.7 percentage points year-over-year. This attack is particularly dangerous because it exploits the psychological bias where users assume "I checked the preview, so it's safe."
Security measures that short URL services should implement are multi-layered. First, recording redirect destination change history and automatically flagging short URLs whose destinations change frequently within short periods is effective. Legitimate redirect destination changes typically occur a few times per month; multiple changes within hours likely indicate malicious use. Second, checking redirect destinations against Google Safe Browsing API or PhishTank databases to block redirects to known phishing or malware distribution sites is essential. Third, displaying an interstitial page before redirecting that shows users the final destination URL is recommended. This intermediate page should display the destination domain name, SSL certificate status, and Google Safe Browsing verdict, enabling users to make informed decisions. Fourth, requiring CAPTCHA or email verification when creating short URLs prevents bots from mass-generating malicious short URLs. Combining these measures significantly reduces preview spoofing attack risks.
User-side defenses are equally important. First, develop the habit of not trusting link preview information alone, using short URL expansion services (unshorten.me, CheckShortURL, etc.) to verify final redirect destinations in advance. Especially for messages containing links to financial institutions or login pages, the safest approach is to manually type the official site URL into the browser's address bar rather than clicking the short URL directly. Corporate security managers should incorporate link preview spoofing attack examples into internal security training to improve employee literacy. NIST's SP 800-177 Rev.1 defines verification procedures for links in emails, and this approach can be applied to links in chat apps as well. The convenience and security of short URLs are always in a trade-off relationship, but by addressing both technical measures and user education, risks can be managed to acceptable levels.