Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Possible Risks with Shortened URLs and How to Avoid it? (http://www.go4expert.com/articles/risks-shortened-urls-avoid-t26385/)

Scripting 27Jul2011 22:50

Possible Risks with Shortened URLs and How to Avoid it?
URL-shortening services, offered by TinyURL.com and Bit.ly and becomes a popular target of attacks. After reading the article you will probably not automatically click on the shortened URL!

Originally the process of shortening URLs was developed to prevent damage to the URL in the e-mail messages. The still growing popularity of instant messaging (IM) or Twitter was still increasing use URL shortening services, Twitter has a limit of 140 characters long per message and longer links can not be sent through it.

How does the URL-shortening works?

TinyURL, Bit.ly and other Web sites providing URL shortening work similarly.

All you need to do is:
  1. Go to one of these sites (eg Bit.ly)
  2. Copy the URL of the pages in the appropriate field
  3. Click on the "Shorten"
  4. This page will generate a shorten URL
  5. That's all

Possible phishing methods:

As with many other applications that are useful for normal users, on the other side attackers and spammers tend to extract of these services in their favor. URL shortening provides to attackers and spammers following abilities:
  1. Allow spammers to bypass anti-spam filters, because pages and TinyURL.com Bit.ly are automatically determined to be trusted.
  2. Avoids experienced users to recognize, whether the URL is or not suspicious.
  3. Redirect users to phishing sites to capture sensitive personal information.
  4. Redirects users to sites with malicious content (malware).

As you can see, there are many opportunities to abuse it, because the victim can not know where the given URL points.

In the picture above you can see the use of fake phishing email with a link.

How to protect? :computer:

TinyURL preview feature

To view the original URL, which was shortened by TinyURL, just go to http://www.tinyurl.com/, there go to the "Feature Preview" and then click on "Click here to enable previews." (You need to have cookies enabled). Now when you click on any shortened URL, the browser first goes to preview the original URL.

Bit.ly preview feature

Bit.ly uses a different solution. Created an add-on for Firefox (https://addons.mozilla.org/en-US/firefox/addon/10297), which when installed, you can place your mouse over Bit.ly shortened URL and it displays opened the original URL . This add-on is still under development, so before you can install it, you need to login / register to mozilla.org.

Never open shortened URLs directly without previewing :happy:

GrayHat 25Oct2011 14:30

Re: Possible Risks with Shortened URLs and How to Avoid it?
Very true with respect to below,

A URL could be malformed where URL re-direction parameter exists or shorten the URL and share it on Social Media saying "To Login to - X - application click here" or anything which makes them to use that URL. Create a spoof page which looks like GUI of the original application and now do whatever you want like stealing the credentials.

Alex.Gabriel 26Oct2011 00:02

Re: Possible Risks with Shortened URLs and How to Avoid it?
Yeah , you are right , i have succeded to create in 2 minutes a fake page for yahoo who saves your password then is logging you on yahoo mail without any time to see what's happening

All times are GMT +5.5. The time now is 02:20.