Column: URL Shorteners for All of Your Malicious Intent

By Tim Quax on 31 july 2010

Long URLs are simply hard to pass along. Very long links tend to break in emails or in any other system where there isn't much room, like your basic comment systems and services like Twitter. However its also a huge security risk.

URL shorteners like is.gd, bit.ly and TinyURL are used worldwide for shortening the longest of links. However, the whole concept of URL shortening is more dangerous than any loophole in software supplying your daily anti-spam needs. Why? Well, domainnames are harder to blacklist if they're hidden behind a service that 301's the request to the Provider of Maliciousness.

The real danger
Of course it sucks when the current anti-spam techniques are no longer sufficient as URL shorteners are so easy to hide behind. It is however not the biggest problem there is with URL shorteners. Why? While you can't link an url shortening service towards executables or archives, you can make a script that automatically submits it for downloading. That script can be shortened by pretty much all services. You'll never know whats behind door number one when you click on it. For example, this url:

http://www.timquax.nl/oh-noes-a-virus.zip

Is pretty straight forward. You know you're going to download a ZIP archive, and you know where it comes from. And then this example:

http://bit.ly/9zpzG0
http://tinyurl.com/34x5uww
http://is.gd/dV5PR

They all redirect to a script that submits a zip archive for downloading. Downloading is all it takes when a Malicious Douchebag is sending stuff around to exploit security issues with browsers and operating systems. This works for any browser on any platform, and is untraceable for current anti-spam software and browsers.

My advise? Anti-spam software should be updated to follow through on any 301 or 302 redirect headers. It should cross reference the given mime type and check for the Content-Disposition header. Besides that any url shortening service that doesn't do this as well, should be put on blacklists along with viagra-is-bloody-cheap-here.com and such.

This is a column from Tim Quax's blog. For more of his posts, check out his site.



Frosmebrarems on Monday 07-02-2011

Sorry for the stupid question. What is the best search engine http://google.com or http://yahoo.com?
Tim Quax on Thursday 17-02-2011

Google has ruled the search engine world for many years now. No other search engine can currently match the size of Google's index, nor the quality in search algorithms.

Although they do try, it's very cute.
Pjpqtaur on Sunday 03-07-2011

this post is fantastic!

React on this article







Enter the code here: