URL Shortening Dread

Apr 1, 2009

URL shortening is definitely on the "hot this spring" list – the list of services is growing, there’s news of a $2M funding, and all the cool content-constrained tweets and Facebook status updates are sporting bit.ly, is.gd, and ewerl.com links. It seems like a simple enough service, but what about the security implications? A quick Google search finds a discussion of drive-by attacks and phishing. It’s true that we don’t know the domain of a tiny URL, and may get sent to something decidedly unfriendly. Many of the URL shortening sites have implemented previews to help out here.

What about cross-site scripting? I know that I suggested using tinyurl for a reflected XSS attack demo a while ago. As a simple proof of concept, here’s a reflected XSS vulnerability on xssed.com and the payload for both is.gd and bit.ly. Are there any URL shortening services out that incorporate a NoScript-style anti-XSS approach?

What about cross-site request forgery? Bit.ly allows you to preview the full URL if you download their Firefox add-on, which may help you avoid obvious attacks.

Maybe a Site Advisor-like blacklist to prevent links to known bad guy sites?

Does anyone care? Do I need to write my own secure URL shortening service so I can raise $3M in funding and buy a really long foosball table for the break room?