[favourable]

I reverse engineered a sketchy link I got in an SMS. I opened up Tor Browser Bundle (with JS disabled), then went to a URL 'un-shortener' service[0]. Furthermore, I saw an interstitial page with a JavaScript payload in it, and it was all obfuscated and obviously coded to hide what it was doing.

I could have gone further and unpacked the code, beautifying it to see what 0 day it was leveraging, but I didn't proceed further. Obviously, this was designed to take over my device. Luckily, my default browser on my phone is Firefox with JavaScript turned off, so it wouldn't have been able to execute if I did click on the link.

[0] https://urlex.org/

[dundarious]

Javascript is absolutely not the only way these payloads can infect your device, so I wouldn't consider that particularly safe.

Also, if you aren't on a phone or similar, you can just use curl to expand shortened URLS. Tell it follow redirects (-L) and print headers (-I), and use the last "location: " header it spits out. e.g.,

    curl -fsSLI https://t.co/blahblah | sed -n 's/^location: //p'

[dundarious]

I know I'm replying to a 2 day old comment now, but I should add that I understand there may be a benefit to using a URL expanding service, in that the connection is not made from your host, so the various endpoints of your URLs won't see your IP address, etc. But the single URL expanding service will see all the URLs you expand and your IP address, etc., so you should trust it as much as any VPN service or ISP. That is to say, you should not trust it at all, until given numerous legal, technical, and reputational guarantees or assurances.