Possible Risks with Shortened URLs and How to Avoid it?

Scripting's Avatar author of Possible Risks with Shortened URLs and How to Avoid it?
This is an article on Possible Risks with Shortened URLs and How to Avoid it? in Ethical hacking Tips.
URL-shortening services, offered by TinyURL.com and Bit.ly and becomes a popular target of attacks. After reading the article you will probably not automatically click on the shortened URL!

Originally the process of shortening URLs was developed to prevent damage to the URL in the e-mail messages. The still growing popularity of instant messaging (IM) or Twitter was still increasing use URL shortening services, Twitter has a limit of 140 characters long per message and longer links can not be sent through it.

How does the URL-shortening works?



TinyURL, Bit.ly and other Web sites providing URL shortening work similarly.

All you need to do is:
  1. Go to one of these sites (eg Bit.ly)
  2. Copy the URL of the pages in the appropriate field
  3. Click on the "Shorten"
  4. This page will generate a shorten URL
  5. That's all


Possible phishing methods:

As with many other applications that are useful for normal users, on the other side attackers and spammers tend to extract of these services in their favor. URL shortening provides to attackers and spammers following abilities:
  1. Allow spammers to bypass anti-spam filters, because pages and TinyURL.com Bit.ly are automatically determined to be trusted.
  2. Avoids experienced users to recognize, whether the URL is or not suspicious.
  3. Redirect users to phishing sites to capture sensitive personal information.
  4. Redirects users to sites with malicious content (malware).

As you can see, there are many opportunities to abuse it, because the victim can not know where the given URL points.



In the picture above you can see the use of fake phishing email with a link.

How to protect?



TinyURL preview feature

To view the original URL, which was shortened by TinyURL, just go to http://www.tinyurl.com/, there go to the "Feature Preview" and then click on "Click here to enable previews." (You need to have cookies enabled). Now when you click on any shortened URL, the browser first goes to preview the original URL.



Bit.ly preview feature

Bit.ly uses a different solution. Created an add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/10297), which when installed, you can place your mouse over Bit.ly shortened URL and it displays opened the original URL . This add-on is still under development, so before you can install it, you need to login / register to mozilla.org.



Never open shortened URLs directly without previewing
0
GrayHat's Avatar, Join Date: Oct 2011
Newbie Member
Very true with respect to below,

A URL could be malformed where URL re-direction parameter exists or shorten the URL and share it on Social Media saying "To Login to - X - application click here" or anything which makes them to use that URL. Create a spoof page which looks like GUI of the original application and now do whatever you want like stealing the credentials.
0
Alex.Gabriel's Avatar
Contributor
Yeah , you are right , i have succeded to create in 2 minutes a fake page for yahoo who saves your password then is logging you on yahoo mail without any time to see what's happening