HEAT Security Blog

Are TinyURLs (and their ilk) Evil?

A long time ago (in internet terms), I was intrigued by a new tool which would allow you to shorten URLs for easy posting, emailing and so forth. TinyURL was launched in early-02 and was, as I recall, an immediate hit. It creates short aliases of an original (long) URL, which will then point to the original URL; if the particular URL had already been requested, then the tiny version was reused. These days, TinyURLs (and other services like it) are used pervasively in Twitter and the micro-blogging movement in general.

Pretty cool, but I was troubled, even back then before my days in the security software arena. How did I know what this link was *really* pointing me to? Could be anything, really … guess you have to trust the source of the tinified link. And in researching this post, I find that others had the same concerns; here is a post addressing this exact issue back in late-05. Others have pointed this out and more …

  • in Jun-02, Thomas Thurman invented something he called “TinyURL-whacking” (think whack-a-mole), which could be used to redirect users to phishing pages.
  • in Feb-06, Gordon Mohr at the Gojomo blog expands on the list of dislikes: they are opaque, hiding their ultimate destination (yup); they can and often are used to send people to spam or malware sites (same thing, no?), and they introduce a dependency on a third-party service that could go away or be completely compromised in the future (hmmmm, interesting new point).
  • in Jun-06, Brian Krebs at the WaPo Security Fix blog posts about his first tiniaturized spam email and notes that using TinyURL to send either spam or malware is strictly against the company’s terms-of-use policy, and it seems to enforce those rules pretty vigorously (good to know).
    [In fact, this problem of TinyURLs being used in spam was an acknowledged problem as far back as late-03, as the founder said in this article.]
  • and last month Peter Gregory at the Securitas Operandi blog wrote that we should Put [our] trust back into TinyURL links, pointing out that [i]t basically comes down to trust: do you trust the source of the link, or is the creator of the link luring you into visiting a malicious website that will attempt to implant malware on your computer? And he echoes a point made in this post at Netfactory in May-08 that TinyURL has a (then new) option to allow you to preview the link (although you have to have allow cookies on your box).

None of this is to pick on TinyURL (or the dozens of other similar services); I just find it interesting that this issue still rages and at such a level that some changes were introduced (kudos). And I think it’s important to remember that while we spend a lot of time developing technology & processes to help protect computer systems from a myriad of badnesses like “drive-by malware,” it’s the human factor that is wild card: ultimately it’s human intelligence that knows when to trust an email, a site or a link, be it tiny or not. We need to develop and implement all these technological tools, not doubt … but we also need to develop our BS antennae.

[Oh, and yes, I think you can trust the TinyURLs we use in our Tweets.]

One thought on “Are TinyURLs (and their ilk) Evil?

Comments are closed.