Jump to content

Cre8asiteforums Internet Marketing
and Conversion Web Design


Photo

The Evil Url Shortener


  • Please log in to reply
4 replies to this topic

#1 iamlost

iamlost

    The Wind Master

  • Site Administrators
  • 4662 posts

Posted 23 December 2010 - 07:20 PM

Just a little extra pre-Christmas Cheer for the paranoids out there...

d0z.me: The Evil URL Shortener by Ben Schmidt, Spare Clock Cycles, 19-December-2010.

With these issues in mind, I began wondering: what would happen if I mashed them all together? Enter d0z.me: a proof-of-concept URL shortener that, while getting users to their destinations, also covertly attacks an arbitrary server.
...
When users click on the link, they appear to be redirected to the requested content, but they are in fact looking at the page in an embedded iframe. This is identical to how those rather annoying Digg and Stumbleupon toolbars work, except the embedding is invisible to the user (minus the location URL in the toolbar). While the users are busy viewing the page, a malicious Javascript DoS runs in the background, hammering the targeted server with an deluge of requests from these unsuspecting clients. If these clients continue browsing from that page, we can maintain our DoS in the background the entire time.

There are a few other little nasty uses of this type of Innocent Surfer background activity. DoS would seem the least profitable.

#2 Guest_joedolson_*

Guest_joedolson_*
  • Guests

Posted 27 December 2010 - 11:02 AM

Yes, that definitely seems nasty. Interesting to think about, but it sure does keep one questioning URL shorteners...who knows what could be happening in the background?

#3 bwelford

bwelford

    Peacekeeper Administrator

  • Site Administrators
  • 9023 posts

Posted 27 December 2010 - 12:10 PM

Certainly a thing to be avoided.

Perhaps to divert this to a more useful line of thinking, I am now using the URL shortening service from those 'Do No Evil' people. That's to be found at http://goo.gl I even use it for URLs that are 'private'. I'm assuming that the corresponding URL does not go into the regular Google search indices.

Is that a safe assumption?

#4 iamlost

iamlost

    The Wind Master

  • Site Administrators
  • 4662 posts

Posted 27 December 2010 - 02:10 PM

Safe? You want safe?
Safe is a relative thingy, on the web as in bank vaults.

Regarding 'brand' shorteners such as goo.gl - never forget that if the site with the shortened links is cracked or otherwise rotten any link can lead to anywhere, include various additional functionality, etc.

What you see is not always what or, perhaps, all that you will get.

Am I suggesting that one not click shortened links?
No.
Just be aware that dragons do exist and they do be nasty critters.

The more a browser or web app has to interact with the OS, i.e. client-side scripting, the greater the risk exposure. Which casts somewhat of a gloom on current webdev direction, doesn't it?

:capeguy:

#5 jonbey

jonbey

    Eyes Like Hawk Moderator

  • Moderators
  • 4449 posts

Posted 27 December 2010 - 03:37 PM

I use my own shortener now for anything that I think may need some legs, otherwise Google's.

My concern with anything but my own is that they can redirect your url at any time. Bitly is very popular, but what if they close down and redirect all urls to their own affiliate site? Unlikely, but it could happen.
I have never read the TOS on any url shortener, probably worth a look.



RSS Feed

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users