URL shortening services are ubiquitous these days so we tend to forget how these systems can be exploited if not properly secured. The latest example comes via an announcement that Cli.gs, the 4th most popular URL shortening service on Twitter, has been hacked. According to the Cli.gs blog, sometime late Sunday night a hacker exploited a security hole that allowed the attacker to redirect around 2.2 million cli.gs URLs to a single domain name, freedomblogging.com
Cli.gs states, “I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then.”
URL shortening services have long been a source of paranoia for web savvy users. The simple fact that you can’t see the link you are about to visit provides an opportunity for attackers to lure unsuspecting users to malware laden sites. Normally this is seen on an individual basis but this incident of an attacker taking over 2.2 million URLs will surely entice other hackers to try their hand at mass exploiting the system.
What do you do to protect yourself?
Several URL shortening services have incorporated link previews and browser addons to help users identify the resulting long URL and there are numerous Userscripts to preview a shortened URL. In the end, we all must rely on the URL shortening providers to secure their systems.
Is it not pretty weird that such a big websites just has a backup from early May?
Daily backup turned off inadvertently and neither the support or maintenance people noticed…? Seems like Cli.gs could do with a major operational strategy overhaul…
Kevin, thank yo so much for stopping by. I was wondering about the tie in to your site. Glad to get more details.
Thanks
Their announcement states that their daily backups were turned off inadvertently. It is just another reason that companies should test their disaster recovery measure before disaster strikes.
The bigger question, will this kill Cli.gs? Even if they’ve fixed the problem can they recover user confidence?
If you are looking for tools to protect yourself try one of the following.
The Bit.ly Preview Firefox Add-on
https://addons.mozilla.org/en-US/firefox/addon/10297
(I’m a user of bit.ly and I’ve used this addon for several months. It’s my choice)
LongURL Tools
http://longurl.org/tools
Firefox addon, userscript, and ubiquity extension available.
LongURL Please
http://www.longurlplease.com/
Firefox addon and bookmarklet available
TinyURL Decoder
http://userscripts.org/scripts/show/40582
Greasemonkey Userscript
Very good point. The lack of data retention will likely have a larger effect than the hack itself. Funny how that works.
Magnolia jumped to my mind while writing this article. I’d been a Magnolia user and then about 3 weeks prior to their demise I switched to Diigo.
I completely agree that we need some trusted names in shortened URLs. It makes you wonder why Google (esp w/ analytics) doesn’t come out with one, or Amazon w/ their a9.com domain. Either one would be an overnight success.
Any idea when this will be fixed?
I think it will be.. but it is really more worse then it should have been because they don’t have a recent backup! Because the one thing their users are really gonna notice is the loss in url’s not the hack itself.
This brings the whole URL shortening service debate back to the forefront of people’s minds and perhaps will make people think more seriously about it.
We are trusting random companies, not even big brand names, with our content. There is no excuse for not having regular backups. We really need some trusted names in the URL shortening business, and we really need to make the average user more aware of how to protect themselves.
Magnolia obviously wasn’t a big enough wakeup call.
Thanks for commenting Richard. I agree that every service has vulnerabilities and that Cligs won’t be the last to be targeted. However, the lack of good backups will erode confidence very quickly.
Thanks for reading.
It would be a shame if their client base did lose confidence as the vulnerability hole is something that every programme has if you look hard enough. They just got unlucky, and this will probably not be the first of the URL shortening services that are targeted.
As stated by Keith above, people should be using add-ons to reveal the actual URL for just these sort of reasons. My personal favourite (supports alot of URL shortening services) is the Greasemonkey script TinyURL decoder. Works straigh out of the box on Twitter and gives you the ability to add any site to it’s list.
Thanks for the post Keith.
I’m the author of the blog post to which the hacker redirected the 2.2 million links. Thank you for addressing the serious concerns with URL shorteners in general.
I agree with your advice to use a tool that reveals the “real” address of shortened web addresses. I have the LongURL Please bookmarklet installed on my browsers (right next to the Cligs bookmarklet). Another easy tip: click on a shortened URL before posting it on Twitter.
The attack might have been random, but my personal blog — self-promotional link intentionally omitted — happens to cover hyperlinks, especially as it pertains to journalism and social media. That blog is a side project with little traffic (not a high-profile target), but the Cligs hack pointed URLs to one of my first posts for a news organization: my employer, The Orange County Register.
As soon as I discovered the hack, via Cligs’ statistics tool, I tried to contact them through their site. I later reached out to @cligs and was able to get on the phone with the creator of the free service. He shared a few more details about the problems, which I’ve shared in a blog post: How we got 2.2 million Internet links … temporarily!
Just a note to let you know that the latest version of Tweetdeck provides a shortened URL preview feature. Enable the feature in Settings->General Tab by checkmarking “Show preview information for short URLs”.
Once enabled when you click a short URL is opens up a mini window that shows the Title and Long URL.
Hi I am a sys admin
We received few spam emails today with a shorten link from cli.gs which redirect to a Trojan download. thought I will let you know since i came across this via Google.
spam email had a subject of Fotos 27/07.
few pictures with cli.gs
thanks
@ Emil
Users in my network started getting emails with Short URL links (FOTOS 27/07 in body of the email) which connects to some script which then forwards the email to all the contacts in the user’s address book. A new stuff this one??? Don’t know whether it stays in the computer to wake up later!
TY
Those sites are a given to anyone that has been using the internet since age 14yrs.
tinyurls are funny to laugh at, to actually see some1 falling for it..it amazes me, just today…
some1 replied to my ad, with the CLI url,lol saying the product was much cheaper there, and to view that url and match the price.
needless to say, i sent him my own fake URL, but this one deletes windows DIR,hahaha
i just dont understand why my blog is ranked number 4 on google when searching cli.gs…. regards to the hack i luckely havent noticed in my 15.000 clgi.gs’ url shortened tweets….
Hi, just to update that today (19/3/2010) it appears cli.gs has been hacked again. Twice in less then a year…
P.S. It appears the blog has also been hacked. So now way of getting info from cli.gs.
My worried concerns exactly…
Shouldn’t their backup be on a daily basis…?
it’s one guy