Thursday, March 26, 2009

URL Shortening Services - the Bigger Picture

Now that I've had a chance to let the events of the TinyURL URL shortening issue soak in and run their course, I wanted to write this post about a much bigger picture than we (the collective) seemed to focus on.

There was more than a serious information disclosure, and vulnerabilities which would allow relatively simple compromise on that service at play - and I think most everyone (myself included) at the time got caught up in the microcosm of the moment and completely missed the proverbial forest for the trees. Allow me to explain.

There are a large number of these URL shortening services available, Google it... last count there were at least 10; with about half those publicly used all over the place. Some of those (tinyURL,,, are embedded in twitter applications (those 140 characters make it hard to past an entire URL properly!) and are used hundreds if not thousands of times a day.

Think about that.

If you have a service that several thousand people click-through a day, that has the sole purpose of creating obfuscated URL redirects - what could you do with that? Weaponizing this sort of service can amount to a catastrophic result. At first glance you could do everything from passing clickers through some site you control to run up your hit-count... or you could point everyone to a site that distributes malware in drive-by format, or you could simply sp00f legitimate sites and harvest credentials... the possibilities are endless.

Here we come to my point about the "big picture"... these types of services are likely extremely high value targets due to their weaponized yield... they have a higher responsibility to deliver unparalleled levels of security for their users. The problem is most people don't realize what they're clicking on, and couldn't tell you why it's important to worry about security on these services.

The responsible thing to do would be to penetration-test every single one of them, and once we find the breaks fix them and move on to the next... maybe create some standard for the way they function? I don't have a great answer aside from this plea - Please enforce some basic best-practice security measures... you're endangering the computers & browsers of many, many people who implicitly trust you for no good reason.

No comments: