URL shortening services are ubiquitous these days so we tend to forget how these systems can be exploited if not properly secured. The latest example comes via an announcement that Cli.gs, the 4th most popular URL shortening service on Twitter, has been hacked. According to the Cli.gs blog, sometime late Sunday night a hacker exploited a security hole that allowed the attacker to redirect around 2.2 million cli.gs URLs to a single domain name, freedomblogging.com
Cli.gs states, “I’ve identified the hole and disabled all cligs editing for now and I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then.”
URL shortening services have long been a source of paranoia for web savvy users. The simple fact that you can’t see the link you are about to visit provides an opportunity for attackers to lure unsuspecting users to malware laden sites. Normally this is seen on an individual basis but this incident of an attacker taking over 2.2 million URLs will surely entice other hackers to try their hand at mass exploiting the system.
What do you do to protect yourself?
Several URL shortening services have incorporated link previews and browser addons to help users identify the resulting long URL and there are numerous Userscripts to preview a shortened URL. In the end, we all must rely on the URL shortening providers to secure their systems.