In what seems to be a series of stories about shortening URL’s, today we’re going to take a look at the dangerous and viscous side of things – the security.
The first article I wrote on URL shortening defined the services that were on offer and the pitfalls of using them (i.e. if the service goes offline, you’ve got no URL forwarders):
What URL Shortening Service Rules the Roost?
Ok, so not too bad. There are a variety of services out there for you to use and they all do about the same thing – shorten URL’s.
We then took a look at one of the services (TinyURL) and coupled it with the recent Server 2008 R2 release and made a fancy TinyURL (and talked about Server 2008 R2):
Windows Server 2008R2 + TinyURL = http://tinyurl.com/ws2k8r2
Now, let’s break it down one step further and look at the dodgy side of URL Shortening…
Everyone is shortening URL’s, it’s easy, it’s convenient, it’s the in thing (peer pressure, right)? If I gave you the URL:
or I gave you the URL:
http://www.msteched.com/online/view.aspx?tid=e260f558-3cbd-45db-a7d0-ffdffd3460c4
which would you rather? I’m sure more than 90% of the population would opt for the first, right? Well, how about if I gave you the URL:
as part of one of my tweet’s and said next to it – Windows 7 has new features read more here http://tinyurl.com/m7offo
You wouldn’t think anything of it, would you? Nope, nor would most other people. This is where the URL shortening service has it’s largest and biggest downfall….Click on that link. Where does it actually take you? It should redirect you to:
http://www.mydodgysite.com/0dayexploit.aspx
OK, so that doesn’t exist, but it proves a point of mine – especially if you break down the URL. Play the part of the dodgy hacker who wants to take control of your computer. He creates a website with a 0 day exploit on it (if you don’t know what a 0 day exploit is, read more here from wikipedia), uses social media to make you think he’s written a blog post about Windows 7’s new features, given you a tiny URL and BANG, you’re caught.
How can we defend against this type of cybercrime? Well, TinyURL gives us preview, which let’s the user visit the URL in confidence by first showing them the URL (check it out for yourself):
http://preview.tinyurl.com/m7offo
but do all of the others? My best guess is no. As I go look at bit.ly (one of the top used based on statistics), they have a Firefox plug in, but do we all use Firefox? Do we all want to use plug ins? Furthermore, how many people actually would publish these “preview” URL’s and in reality how many only publish just the short URL….?
Morale of the story, the Internet isn’t as safe as it used to be 
Surf safely.
#1 by Leo on Sunday, January 17, 2010 - 02:38
A big problem is that users like the convenience of going straight to the page. We didn’t go with a full fledged preview feature, but we did pause the redirects so the full link was visible. Folks didn’t like the short delay.
#2 by Shelby Thomas on Saturday, September 25, 2010 - 14:40
Hello ! Love your blog thanks for sharing it with me