In what seems to be a series of stories about shortening URL’s, today we’re going to take a look at the dangerous and viscous side of things – the security.
The first article I wrote on URL shortening defined the services that were on offer and the pitfalls of using them (i.e. if the service goes offline, you’ve got no URL forwarders):
Ok, so not too bad. There are a variety of services out there for you to use and they all do about the same thing – shorten URL’s.
We then took a look at one of the services (TinyURL) and coupled it with the recent Server 2008 R2 release and made a fancy TinyURL (and talked about Server 2008 R2):
Now, let’s break it down one step further and look at the dodgy side of URL Shortening…
Everyone is shortening URL’s, it’s easy, it’s convenient, it’s the in thing (peer pressure, right)? If I gave you the URL:
or I gave you the URL:
which would you rather? I’m sure more than 90% of the population would opt for the first, right? Well, how about if I gave you the URL:
as part of one of my tweet’s and said next to it – Windows 7 has new features read more here http://tinyurl.com/m7offo
You wouldn’t think anything of it, would you? Nope, nor would most other people. This is where the URL shortening service has it’s largest and biggest downfall….Click on that link. Where does it actually take you? It should redirect you to:
OK, so that doesn’t exist, but it proves a point of mine – especially if you break down the URL. Play the part of the dodgy hacker who wants to take control of your computer. He creates a website with a 0 day exploit on it (if you don’t know what a 0 day exploit is, read more here from wikipedia), uses social media to make you think he’s written a blog post about Windows 7’s new features, given you a tiny URL and BANG, you’re caught.
How can we defend against this type of cybercrime? Well, TinyURL gives us preview, which let’s the user visit the URL in confidence by first showing them the URL (check it out for yourself):
but do all of the others? My best guess is no. As I go look at bit.ly (one of the top used based on statistics), they have a Firefox plug in, but do we all use Firefox? Do we all want to use plug ins? Furthermore, how many people actually would publish these “preview” URL’s and in reality how many only publish just the short URL….?
Morale of the story, the Internet isn’t as safe as it used to be Surf safely.