Tuesday, June 16, 2009

URL Shortening Equals Short-cut to Drive-by-download

URL shorting has always been a convenient vector for obfuscating a malicious URL. They've been used in phishing URL's for nearly a decade now, and in drive-by-download's for almost as long. Now it seems that another flaw in shorten URL services have been exploited by the bad guys - exploiting the hosting provider and getting ALL shortened URL's to point to a malicious drive-by-download URL.

That's what happened to Cligs Sunday/Monday this week.

Apparently, according to their blog, some 2.2 million shortened URL's were affected - redirecting victims to malicious content over at freedomblogging.com. Not pretty - but hardly unexpected.

From their blog...
"... I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then. My daily backups with my host were turned off for some reason, which is another story.

The restoration will take a long time - it’s millions of URLs that have to be individually restored - and so you may not see your proper links till tomorrow."

I suspect that this won't be the last time a shortened URL service provider will be compromised. Theres good money to be made by the bad guys if they exploit these kinds of services - so there's motivation and skills in abundence to do so. Frankly, the providers of shortened URL services aren't known for their security ambitions.


  1. "Frankly, the providers of shortened URL services aren't known for their security ambitions." Some should be known for that. Check out Safe.mn (http://safe.mn/)

  2. Actually Safe.mn doesn't appear to address the security I'm concerned with - protecting their own site and application infrastructure from attack.

    Regarding Safe.mn's "security" service - i.e. the vetting of shortened URL's as non malicious - there's nothing there for me to give me confidence that they're any better than my desktop McAfee install. And, on top of that, these URL shortening services are popping up everywhere - why should I trust this one over any other?

    That's not a dig at Safe.mn, it's a concern with all the similar services. I have no confidence that a free service is going to be 100% trust worthy and has my best interests at heart.

  3. so are these attacks XSS mostly ?