Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - TinyURL and security InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

TinyURL and security

Published: 2009-03-10
Last Updated: 2009-03-10 23:31:53 UTC
by Swa Frantzen (Version: 3)
1 comment(s)

Roseman wrote in with a pointer to a techrepublic blog that points out the well known danger to the short URL servcies and their widespread use.

The blog also pointed out:

  • TinyURL has a preview function that (once you set the cookie) allows you to see where you're being redirected before it happens. Set the cookie here: http://tinyurl.com/preview.php
  • Bit.ly has an add-on for firefox that allows you to see where the URL points to in addition to some statistics.

Those measures reduce some of the dangers, but by far not every danger of users being used to click on links they receive via twitter, IM, or email. It's still far safer to go to any place you need to log in such as e.g. your bank via a bookmarked link only. Those bookmarks reduce the phishing attempts emailing you funny URLs, the typo squatters etc. Add in a properly working certificate on the SSL version of the website and you've got some serious defense going as a user as long as you do not accept bad certificates.

UPDATE:

  • There are more generic plug-ins for this for Firefox, suggestions we received include "Long URL Please", and "LongURL Mobile Expander". Use at your own risk.
  • TinyURL has a manual version of the preview: change http://tinyurl.com/X into http://preview.tinyurl.com/X .

--
Swa Frantzen -- Section 66

Keywords: bitly preview tinyurl
1 comment(s)
Diary Archives