Things a hacked URL shortening service could do to you
URL shortening services have been around for a long time (TinyURL started back in 2002) but it wasn’t until Twitter started gaining momentum that they became widely popular. Now we have a TON of them, including the original TinyURL, Bit.ly, Is.gd, and many, many more.
We have all placed an enormous amount of trust in these services by using them to such a large extent. They offer a legitimate, highly useful service, but we should at least be aware of the flip side of the coin.
Inherent problems with URL shortening services
There are several inherent problems with the use of URL shortening service, especially the widespread use that has become common on the Web lately.
- It’s a middleman service that can break or cause slowdown. A URL shortening service acts as a middleman, redirecting you to the page that matches the shortened URL. Not only will that add overhead to how quickly you can access the target website, but if the service breaks you won’t be able to access the URL at all.
- What if the service disappears? If the service gets shut down for some reason, goes out of business, loses control of its domain name, or suffers from an irredeemable crash, your shortened URLs will never work again. (Although not a shortening service, remember how Del.icio.us competitor Ma.gnolia had to shut down after losing its data. These things do happen.)
- Hidden target link. You can’t look at a shortened URL and see where it leads which makes them popular for spam links.
And of course, there is always this nightmare scenario, which is what we referred to in the headline of this article:
Worst-case scenario, a hacked URL shortening service
Imagine if an enterprising hacker manages to compromise the URL shortening service you use (it’s happened). That hacker could potentially redirect ALL traffic going through the URL shortening service to whatever URL(s) he or she wants.
A compromised service could:
- Redirect you to websites with malicious code. You can end up being redirected to a web page with malware that could compromise your computer.
- Make you part of a DDoS attack. If all traffic (or a good part of it, especially for one of the larger services) is redirected to a specific target, the large amount of traffic would effectively become a DDoS attack on the target website.
Why we’ll keep using them anyway
In spite of everything we said in this article, URL shortening is a smart service, and in the era of Twitter pretty much a necessary one. You don’t want half of those 140 characters taken up by a long URL. Still, we suspect that it’s only a matter of time before one or more of the scenarios we have mentioned above become a reality. Hopefully we’re wrong. Knock on wood.
Photo by Ian Hampton.
Google has been dominating the search engine market for years, but at least there are some competitors that have a few percent each.
The world is a big place, but so is the Internet. We know which countries are the largest in the real world, but what about on the Internet?
Not to beat a dead horse, but why didn’t Apple think of this…? 
Manuel
June 23rd, 2009 at 10:49 am
You are forgetting the fact that url shortening services are breaking the search engines as we know it:
http://www.codinghorror.com/blog/archives/001276.html
Shiladitya
June 24th, 2009 at 8:37 am
probably when a major internet company (like MS, Yahoo or Google) buys out or starts an URL shortening service of their own then people will all move to using that since they usually have more secure services that people already trust them with – mainly being their email!
ritchan
June 28th, 2009 at 5:00 am
Why do people use services like these anyway? What’s wrong with the html a tag?
Ian Macfarlane
July 3rd, 2009 at 3:21 am
Ever harder to spot – what about if a hacker selectively picked out a few shortened URLs (the ones with the most links to them), say the ones used in a PR campaign, and 301′ed them just for search engine spiders?
(redirecting for all users or redirecting all URLs for spiders only would get caught pretty quickly)
Or even better – what if they *ran* the URL shortening service, and could do things like that easily behind the scenes?
Aniruddh Dodiya
July 6th, 2009 at 8:44 am
really nice fact i come to know. I use bit.ly for shorting. but I think we can use our own short url service. and aft reading this article I probably create my own ASAP.add the Google Short Links service to your Google Apps domain
One service I found is http://www.google.com/enterprise/marketplace/viewListing?productListingId=5143210+6352879591152674960 but its do not provide 301 redirect.
I think http://get-shorty.com/ is a good alternative.
Thanks for the great post.
Steve Warriner
August 21st, 2009 at 4:28 pm
Here’s a video to make your own short url’s:
http://screenr.com/nTs
my down and dirty short url (scroll down for the details):
http://jedsweb.net/urls.php
You are right Aniruddh.