Please Don’t Use HootSuite; Ow.ly is Dangerous

by Aaron on March 3, 2010

Today’s article is a warning for anyone using Twitter (including photographers). There are a variety of third-party Twitter clients (I generally recommend TweetDeck or Brizzly), but I’m concerned by one of the players that seems to be gaining some traction. HootSuite offers a range of Twitter tools (including some really nice ones) but one of their “features” is the Ow.ly URL cloaking service… and it has a big problem. Using HootSuite, when one shrinks a URL it uses Ow.ly, and in doing so you’re contributing to confusion and security problems on the web.

Bad Behavior

Most URL shortening services such as Bit.ly and Tinyurl route users through a shortened URL and onto the destination webpage, with some services offering valuable metrics along the way. Ow.ly behaves a bit differently. Instead of simply redirecting users to the destination page, Ow.ly displays the destination’s page content, but framed with an Ow.ly bar across the top of the page, and the Ow.ly shortened link showing in the browser’s location bar instead of the page’s true address.

Ow.ly: A Perfect Setup for Phishing

You’ve probably noticed an increase in the number of phishing attacks on Twitter, and it’s not just the newbies that are getting duped. How do we train folks to avoid phishing? Generally it involves a couple things: don’t click on links when you can’t verify where they’re heading, and before typing in your password, look at the browser’s address bar to be absolutely sure you’re on the right website.

See the problem?

It’s not just annoying to have the Ow.ly bar on the page, it’s dangerous, since it means extra work to escape from Ow.ly to know whether you’re on a legitimate site or one that could be malicious.

Do you want to be the one handing out confusing, phishy-looking URLs to your readers? Ow.ly defenders will argue that end users can opt-out of the service, but don’t blame the victim… your readers shouldn’t have to jump through extra hoops because you’re using a poor set of tools.

The Solution

Don’t use Ow.ly (which really means don’t use HootSuite).

Use Bit.ly or one of the other, more transparent services. Bit.ly can integrate directly with clients such as TweetDeck and one can use their Bit.ly API key to get a full range of metrics on the shortened URLs.

For another look at this issue, including some direct (and very telling) quotes from folks at HootSuite, head over and read No More Owls: An Open Letter to HootSuite.

Photo by hans s, used under Creative Commons licensing

No related posts.

Tagged as: hootsuite, ow.ly, phishing, Twitter, url shorteners

http://twitter.com/CarrieLeighC Carrie C.

Thanks Aaron! Great points. I almost never will click an owl.ly link, and I know others who won't either, so people are definitely missing out on viewers by using Hootsuite's shortener as their tool.

I'd also like to add that if users want to continue using Hootsuite and already use Firefox (and I hope they DO use Firefox for its security), it becomes as simple as utilizing a URL shortening add-on made for Firefox. I have one for bit.ly and one for is.gd, and shortening urls is as easy as clicking a button on my taskbar or right-clicking and telling the browser to shorten. The shortened URLs are automatically copied to my clipboard, ready for pasting. Handy –and– safe. IIRC, bit.ly's add-on doesn't allow you to sign in for metrics, but is.gd's might.
http://www.facebook.com/secretapple Jason Green

Why would you go anywhere from a short url to somewhere to devuldge information anyway? That in itself is bad practice. I'm not going to follow a shortURL to gmail hotmail or paypal. wth are these people thinking?
http://newscubamarketing.com Nick Bostic

I use and like Hootsuite since I seem to be changing computers constantly and a web-based app (with scheduling – yes, I use it on one account, boo all you want) is really the best option. However, I use bit.ly for all of my URL shortening because I hate the toolbar Ow.ly uses.
KiltBear

The ow.ly bar allows you to turn this behavior off. (see the X in the top write corner of the bar/page)

Facebook used to do the same thing for almost all offsite content until people got pissed off about it.
ahockley

Yes, I noted the fact that in theory, end-users can opt-out of the Ow.ly bar (although I've had to do it several times), but you shouldn't make your readers' browsing experience because of your choice of tools. There are no reasons for the Ow.ly bar other than to advertise HootSuite.
Joe Perrin

I use HootSuite but I didn't want to use the Ow.ly shortening service. So I did a quick google search an came across a greasemonkey script which automatically creates a Bit.ly link when it detects a URL in your HootSuite tweet (the same way that tweetdeck does it) — the script works on Twitter.com too. The script supports your bit.ly API key or uses the general one if you leave it blank.

Problem solved.

Here is a link to the greasemonkey script: http://userscripts.org/scripts/show/69295
ahockley

Thanks for the link to the script… it's a nice workaround for the savvy, but it sure would be neat if HootSuite made it easier for folks. The reality is that most users don't have a clue about Greasemonkey. That said, I'll point folks to it if they really want to use HootSuite.
http://www.scottwebb.tv/ Scott Webb

is this the same kind of thing as stumbleupon then? the stumble bar goes along the top of the page too?
ahockley

Yes, the StumbleUpon bar has the same issues.
http://www.loususi.com loususi

I see no problem with the Ow.ly URL shortening within HootSuite. I've used a few other tweeting alternatives that allow tweeting from multiple accounts and I don't like the desktop app solutions at all. I even tried Brizzly and wanted to like it because of that damned cute little bear guy, but I don't know … HootSuite is the app for me I guess.

As for Ow.ly … I don't use any of these URL shortening tools anymore since implemnting YoURLs on one of my websites. As much as I should really get into tracking these shortened URLs, I'm a bit unusual in that I am not typically tweeting and promoting links for the typical social marketing aspects that exploit the open + free communication that the social web allows for … sure, I am 'marketing' events, ideas, myself + other sundry items by tweeting + such, but these are more personal in nature … and if they're not personal, I make them my personal passion in some way. If I were ever to tweet and need the stats documented I would research another method, but for right now I post all my shortened links through my YoURLs account posting via hotsects.com … just for fun …
http://www.hostelmanagement.com/ Josh

Great post. I hate framejacked links — ow.ly and su.pr are becoming the most common ones on Twitter.
http://twitter.com/NonTechieTalk Non-techie Talk

Hootsuite has fixed the “problem.” It now bundles a choice – ow.ly is a straight-up, no frills shortener, and their new ht.ly uses the frame which, had it not been for the masked url, would have been a great idea.

I agree, the URL is a bad idea ripe for phishing. Hopefully, HootSuite will take one more step and merge somehow merge the two ideas – retaining the site’s true URL along with their tool frame.
http://blog.darcykieran.ca Darcy Kieran

100% right! For as far as I can remember, I never clicked an ow.ly links, from anybody – and I’ve always stayed away from HootSuite – for that reason. But… Apparently “Non-techie Talk” (below) is right: HootSuite finally understood what you explained above and it’s “gone” on the ow.ly service from HootSuite. About time!I wonder how many people out there are still not clicking a ow.ly link because of the way it was working in the past!It most certainly was not safe – and very annoying!
http://www.next-presso.fr Antoine Sabot-Durand

I think you should correct this post which content is no more accurate. owl.ly does a 301 redirect like other shortener. ht.ly is the one with social bar which I don’t use.
One the nice things in Hootsuite is the statistics included in the product, but you have to use their shortener to use them.