Dangers of URL Shorteners

After reading this article http://www.technewsworld.com/story/72216.html, I wanted to chime in and explain the dangers.
This builds upon my XSS Explained article.  Please read that before you continue.

The popularity of url shorteners grew as more people started using www.twitter.com. Twitter allows you to ‘micro’ blog, 140 characters at a time. With this in mind, links to web sites became an issue, take for instance the article at the top of this page. It is 46 characters long, taking up 32% of that post. Url shortners came along as a way to still have a link, but not take up as much space. To make one, you simply got to a site like bit.ly, or tinyurl.com and give it a link. It will in turn give you a short link to their site similar to www.Bit.ly/hZEYc8 (18 characters) or www.Tinyurl.com/3z4fkas (24 characters).

Technically What Happens

When someone posts a link from a URL shortener such as bit.ly or tinyurl.com on the web, a very simple action takes place. Someone comes along and clicks the link, then bit.ly/tinyurl acts as an intermediary, getting the request, and forwarding the user to the end content. This is done transparent to the user, for ease of use. Click a bit.ly/tinyurl and get the content you want.

  1. Malicious Site Link —(submitted)—> www.bit.ly —–> www.bit.ly/hZEYc8
  2. www.bit.ly/hZEYc8 —(posted)—> blog/forum
  3. Victim —(clicks)—-> www.bit.ly/hZEYc8
  4. Victim —–> bit.ly —(forwarded)—-> Malicious Site

Security Issues

There are three main security concerns with URL shorteners. The first problem is that the user is taken to end content without any interaction, or visibility into what they are going to load into their browser. Someone could post on a blog/forum a URL which forwards people to a malicious website. This becomes an inherent trust between the user and the person who publicized the short URL. This then leads to a second issue, the inability of a user to check the actual end link content before browsing to it. I see a short URL, I want to know where it will take me, BEFORE I go there, to make sure I’m not being forwarded to www.Evilsite.cn. There have been a few solutions developed to help with this issue, noted bellow. The third issue deals with XSS. A reflected XSS attack can be fairly easy to identify based on the length and complexity of a URL. URL shorteners can help hide these attacks from the user by taking that extremely long link and hiding the actual context of the attack. Also keep in mind that a bad guy may use a short url to point to a forum/blog that contains persistent XSS.  What looks more obvious as being malicious:

  1. http://www.brightroom.com/msgbox.asp?M=%3Cp%3E%3Ch2%3EProof%20of%20XSS%20via%20cactus%20%3C/h2%3E%3C/p%3E%3Cimg%20src=%22http://visopsys.org/andy/cat/uploaded_images/182boner-714406.jpg%22/%3E
  2. http://bit.ly/hksEEm

Yikes! As if the bad guys don’t have it easy enough already…

Prevention

Tinyurl has developed a ‘preview’ feature that allows someone to view the end URL before going there. This solves quite a few problems as described above, but can make clicking on links quite a tedious task. Adding at least one extra step in viewing web content.
If you are a Firefox user, there is a plug-in called bitly preview which will take care of unhiding the links for you. Link: https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/
Google Chrome users can check out the extension View Thru. https://chrome.google.com/extensions/detail/jkncfnbcgbclefkbknfdbngiegdppgdd

Comments are closed