4 replies to this topic

[iamlost]

Just a little extra pre-Christmas Cheer for the paranoids out there...

d0z.me: The Evil URL Shortener by Ben Schmidt, Spare Clock Cycles, 19-December-2010.

With these issues in mind, I began wondering: what would happen if I mashed them all together? Enter d0z.me: a proof-of-concept URL shortener that, while getting users to their destinations, also covertly attacks an arbitrary server.
...
When users click on the link, they appear to be redirected to the requested content, but they are in fact looking at the page in an embedded iframe. This is identical to how those rather annoying Digg and Stumbleupon toolbars work, except the embedding is invisible to the user (minus the location URL in the toolbar). While the users are busy viewing the page, a malicious Javascript DoS runs in the background, hammering the targeted server with an deluge of requests from these unsuspecting clients. If these clients continue browsing from that page, we can maintain our DoS in the background the entire time.

There are a few other little nasty uses of this type of Innocent Surfer background activity. DoS would seem the least profitable.

[joedolson]

Yes, that definitely seems nasty. Interesting to think about, but it sure does keep one questioning URL shorteners...who knows what could be happening in the background?

[bwelford]

Certainly a thing to be avoided.

Perhaps to divert this to a more useful line of thinking, I am now using the URL shortening service from those 'Do No Evil' people. That's to be found at http://goo.gl I even use it for URLs that are 'private'. I'm assuming that the corresponding URL does not go into the regular Google search indices.

Is that a safe assumption?

[iamlost]

Safe? You want safe?
Safe is a relative thingy, on the web as in bank vaults.

Regarding 'brand' shorteners such as goo.gl - never forget that if the site with the shortened links is cracked or otherwise rotten any link can lead to anywhere, include various additional functionality, etc.

What you see is not always what or, perhaps, all that you will get.

Am I suggesting that one not click shortened links?
No.
Just be aware that dragons do exist and they do be nasty critters.

The more a browser or web app has to interact with the OS, i.e. client-side scripting, the greater the risk exposure. Which casts somewhat of a gloom on current webdev direction, doesn't it?

[jonbey]

I use my own shortener now for anything that I think may need some legs, otherwise Google's.

My concern with anything but my own is that they can redirect your url at any time. Bitly is very popular, but what if they close down and redirect all urls to their own affiliate site? Unlikely, but it could happen.
I have never read the TOS on any url shortener, probably worth a look.