The danger of URL shortening

Date : November 05, 2009

Background on URL’s

Commonly used in our daily Internet activities, for some of us even without noticing, URL’s (Uniform Resource Locator) allow to redirect Internet surfers towards remote resources spread over the networks, whether Internet or Intranet: web sites, FTP servers, shared files, phone contacts, …

Often mixed up with URI (Uniform Resource Identifier), and better known than URN (Uniform Resource Name), URL’s are an integral component of Internet surfing. Without them, it would not be possible to access a web page, a site, an FTP server or any other type of resource available on a network.

 

URL, URI and URN

Technically speaking, URL’s and URN’s both belong to the URI’s family. They both consist in a chain of characters allowing to identify a resource on a network (cf. RFC 3986).

The URN is a URI allowing to identify a resource thanks to its name, without knowing its location on the network. As to the URL (Uniform Resource Locator), it additionally provides the means to act upon a resource or have it to process some action.

However, Internet deployment and the development of web applications have made their syntax more and more complex.

To face this complexity, certain sites have put in place mechanisms to mask real URL’s and replace them with URL’s so-called short URL’s. These are now commonly used in some social networks such as Twitter, for which URL’s could not exceed 140 characters, or also in blogs and exchange forums.

 

Short URL’s

Initially, short URL’s had to be used to avoid typing long names. Then they were used for other less traditional purposes such as masking marketing messages, tracing of Internet audience. …

Hence numerous sites such as "bit.ly”, "tinyurl.com”, “shorturl.com” or still "metalmark.net” enable to convert any URL into a short URL, usually unintelligible.

 

Working principle of short URL’s

Working principle of short URL’s is simple. It is based on the conversion of a long (and often complex) name into a short (meaning simplified) address. This address generally embeds an identifier which enables to find back the initial (long) URL. Once the association is made, the site of the “short link” provider redirects the Internet user towards the actual site. When an Internet user types in a short URL, he/she is then automatically redirected towards the actual page associated to this short URL.

For example, the following URL http://www.cert-ist.com/fra/presentation/HistoriqueduCertIST can be converted into http://short.url.provider.com/cert-ist.com or still http://short.url.provider.com/XpmC89OA.

Depending on the provider, the short URL identifier can be unique or not; this mainly depends on the link provider and the service subscription. Some sites are free, others are not and provide additional services (enabling for example to know how many persons have used a given short URL) requiring to open a user account.

 

Short URL’s as a new attack vector

Although short URL’s are useful for many internet services, they are also known to bring security issues because malicious users have diverted their initial usage and use them as a new attack vector.

Shortening or transforming complex URL’s indeed has a side effect of masking the actual destination referred to by the (long) URL. This is hence a means for malicious users to deceive not only users but also filtering equipments and technologies. Spammers, malware creators and hackers understood this, and have found a new way to build attacks by redirecting (via short URL’s) their victims towards phishing sites or sites hosting malware.

Short URL’s have also become a formidable weapon for botnets. These have indeed found a way to automatically generate such short links in order to deceive their victims. Moreover, the possibility to associate several short addresses to URL’s redirecting towards the same address, enables for example in phishing attacks to bypass mechanisms based on black listing.

 

Protection mechanisms

In the context of those attacks, short link providers play an intermediary role that enables to protect destination sites, just like bulletproof sites do. Some providers that are unscrupulous therefore play a protection role for many malicious sites.

Several of them were closed down due to their exploitation for malicious purposes. Those closings have indirectly led to stop thousands of malicious redirections.

There is unfortunately no infallible protection mechanism against short URL’s. There are tracks but they are currently not implemented in navigators, nor in messaging clients nor in protection solutions like anti-virus or anti-malware.

  • Amongst those tracks, let’s name:
  • Pre-visualisation of links by the navigator or the messaging client (whether traditional or instant),
  • Pre-interpretation of short links by anti-virus or anti-malware,or still by the filtering components (proxy, …),
  • Visualiation of links in sandboxes,
  • Usage of backlists,
  • Usage of white lists (listing trusted short links providers).

 

Conclusion

The boom of social networks, blogs, needs of web site developers are such, that they contributed to the fast development of short URL usage. While it is obvious that this technology was not initially developed for malicious purposes, it has turned to be so.

The user is here the central element and easing his/her life (by proposing to use short URL’s) also exposes him/her to a higher security risk. One must therefore be prudent and stay vigilant when using short links, especially if these come from untrusted or unknown sources.

 

Previous Previous Next Next Print Print