URL shortening – How do they do it

URL shortening services had experienced a big push in the age of social networks rising, such as Twitter, where big urls collide with the 140 characters user input restriction.

So there was this need of magically transform URLs like this one http://raduboncea.ro/2009/04/01/twitter-autofollow-and-dm-using-python-twitter-imaplib-and-gmail/ into something like this http://tinyurl.com/cralfk.

Many would be tempted to think there is some kind of compression algorithm that would shorten a big URL and make it fit into a unique combination of 4,5 or 6 characters and then decompressed upon user request. Well it doesn”t work like this, mathematics prohibit it.

So how does it actually work?
A URL shortening service takes the big URL and saves it into a database along with an auto incremented numerical value, an id or sequence, so we would have the first big URL saved with ID=1, the second with ID=2 and so on. When someone would ask for http://tinyurl.com/1/ we would get from the database the big URL identified by ID=1 and redirect the user to that URL.

But there is a problem: having numerical ids does not shorten urls too much. For the URL number 1 million we would have 7 numerical characters. So the next step is to change base numerotation from 10 to a bigger one, lets say 36, so we include all a-z small latin letters or, why note, 62 which includes also the capital chars A-Z.
In 36 base we can save as much as 1.679.615 URLs into 4 characters. On base 62 we have 14.776.335 URLs fit into 4 chars, almost 10 times as much as base32 and 14.776 times base10.

Some security issues.
Many shortening services stopped to the algorithm above without digging into a very important security issue which is related to how redirects work. It is critical, before redirecting users to the URL they requested to check what’s behind that URL, to check if the URL is not yet another redirect which may result into a recursive loop and may disrupt the service.

A malicious user may save a URL to a page which will later modify to redirect back to the service URL and thus attempting to generate an infinite loop which could make the interpreter to hang.

To avoid this kind of DoS vulnerability, we must not allow redirects to our own links and to limit redirects to outside to a smaller finite number of depths analysis.

Beneath a small model-view example in django, using also urllib to check for redirects and the base10-base62 conversion algorithm similar to the base36 which is included in django.





Twitter autofollow and DM using python-twitter, imaplib and gmail

The script will:

  1. connect via imap to gmail
  2. select the imap directory TwitterFollow (you should filter twitter follow notifications and label them with TwitterFollow)
  3. fetch the headers of all unread mails
  4. retrieve the twitter user screen_name that is following you from the headers
  5. attempt to create a friendship aka autofollow. If an error occurs is probably due to the fact you previously followed the user
  6. Send a direct message to thank for the following
  7. Flag the message as read so it won’t be fetched next time script runs

You could also check Twitter autofollow and direct message using python mechanize libgmail which is basically achieving the same goal but operate differently using reverse engineering on gmail web site.


Twitter autofollow and direct message using python mechanize libgmail

Requirements:

  • a valid gmail account
  • label your twitter follow notifications (E.g. I use TwitterFollow)
  • mechanize : a stateful programmatic web browsing
  • libgmail : a GA reverse engineered library
  • python-twitter : a wrapper around the Twitter API

IMPORTANT: because Gmail does not provide an API and does not intend to do that because of the ads, hacking libgmail to fetch the threads is a VIOLATION of Gmail TOS. This script should be use for documentation only. For production please consider using POP3 or IMAP to fetch the threads. To avoid your account being suspended or locked run the script no more than twice a day.

Twitter Search Api example in use by Ecto Script – Python

Requirements: simplejson

The script gets the input from Ecto and prints the search results.

Ecto script – python feedparser my delicous

I recently started using Ecto as a blog editor instead of Blogo and I find it extremely useful, specially the Script feature which allows you to get the output of your scripts and paste it to the post. This feature gives you all the freedom in automates certain posts.

The Script Tool supports php, python, ruby, perl and bash after declaring compilers paths.

One simple example which I found useful was to parse my delicous bookmarks binded to a specific tag (myblogshare).

Python twitter api – extract friends who don’t follow back

A perspective different than the script I posted here which required python-twitter library.

Please excuse the lack of introspection, the script should be self explanatory.



Twitter friends list match against followers using python-twitter

One simple way to extract those who you follow but are not following back