Re: Beware Pron ahead
I think URL shorteners are fundamentally insecure for exactly the opposite reason. You don't know where they go to
You don't really know where unshortened URLs are going to end up either. Too many IRI tricks, compromised sites, unprotected forwards and redirects...
But URL shorteners do remove information that is often useful even if it's not trustworthy. Clearly the cost to an attacker of using a shortener is less than the cost of using most other URL-disguising techniques, because shorteners aren't a scarce resource and they're trivial to use (manually or automatically).
I think it took a long time to get a study like this because security experts took one look at shorteners and said, oh yes, that's clearly a terrible idea; and so few people bothered to look further at other ways in which it's a terrible idea.
The blog post is well worth reading, by the way. Microsoft and Google have fixed some of the more blatant issues, but the underlying problems remain. (Note, for example, that while one of their OneDrive attacks has been blocked by Microsoft, it continues to work for older OneDrive URLs. So some MS developer decided to slap a band-aid on the problem without fixing the underlying issue.)