loops and stretching with urlshorteners…

there has been some discussion (via @mstrohm) on the security of urlshorteners and i have been thinking about this the past days.

putting the problem of the bottle neck aside it leaves us with the possibility of spamming and/or loops and missing transparency when looking at urlshortening services. let’s say the advantage of shortening urls has to compensate one of the disadvantages; let’s take the bottle neck. it’s clear that one cannot shorten a url and expect the link to be independent or maybe distributed like DNS at the same time.

still there are 3 problems which have to be solved:

spamming: there are concepts which we know from mail services that can narrow this issue down. is.gd uses the surbl blacklisting service to check for spams. with a little fine tuning this is manageable.

loops: similar to the spamming problem, there must be a blocklist of sites that are not accepted for shortening. qr.cx already implements a list of about 200 services that are blocked from shortening. is.gd is saying so too, although they accepted qr.cx links and others at the time of writing. this is really easy to implement and should be done by every shortening service.

transparency: the problem here is that users cannot see where they are going when clicking a shortlink. the solution is again very easy to implement. tinyurl implements it by putting ‘preview’ as subdomain http://preview.tinyurl.com/m5l96j and qr.cx by putting ‘/get’ behind the shortlink: http://qr.cx/1r8/get.

curious as i am i decided to make a little experiment. i tried to make an extra long urlshortener chain. i started with a twitter post which i shortened with qr.cx. so far so good. i went over to bit.ly and shortened that link, then 1link.in, 2su.de, 3.ly, 6url.com, 9mp.com, adjix.com, and so on. see the complete list below.

interestingly there were a lot of services on my list that didn’t exist any more (LOST URL (domain grabber), TIMEOUT, NO ROUTE TO HOST (server down)). others ‘shortened’ links that were actually shorter before (very useful)!!!

just one service did delete my spam attempt in the 12 hours since i linked all these shorteners. just about 2 blocked other urlshorteners from beeing shortened.

every service did shorten the link above it (except when noted otherwise):

tweet on twitter 

http://twitter.com/flowolf/status/2312852042

http://qr.cx/8bm

http://bit.ly/1o4Rd

http://1link.in/zzvso

http://2su.de/d7

http://3.ly/2rr

http://4url.cc/ - TIMEOUT AT CREATION

http://www.6url.com/0ZHZ

http://9mp.com/zrEhS

http://a2n.eu - LOST URL

http://adjix.com/7ftd

http://a.gd/132bec

http://a.nf/dff3f1

http://arm.in/48J

http://b65.us - LOST URL

http://bit.ly/eKnP0

http://bloat.me/2Ax3

http://budurl.com/wghk

http://buk.me - LOST URL

http://burnurl.com/dp592p

http://canurl.com/ - LOST URL

http://chilp.it/?20c705

http://chod.sk/abxb8

http://cli.gs/BYZShQ

http://clop.in/HghGAA

http://clop.decenturl.com/asdf

http://doiop.com/m2m87j

http://dwarfurl.com/77751

http://easyuri.com/28af

http://easyurl.net/74612

http://fhurl.com/c10859

http://fly2.ws/a9q1MJ6

http://fon.gs/oblw5o/

http://foxyurl.com/7h4

http://fwd4.me/n96

http://fwdurl.net - LOST URL

http://g4.ms/62986f

http://g8l.us - suspended for spam

http://get-shorty.com/shorty/g4/

http://gonext.org - LOST URL

http://good.ly/g7i54l

http://gurl.es/dIQ

http://hex.io/16xq

http://idek.net/GXj

http://ilix.in/0dba2

http://is.gd/1cgO3

http://ix.it - LOST URL

http://j2j.de/tEM65G

http://jdem.cz/bnbk4

http://jijr.com/ - TIMEOUT AT CREATION

http://kisa.ch/9g54

http://kl.am/X5o

http://kore.us/mXiJ0j

http://kots.nu/2qq2da

http://krz.ch/60466

http://kurl.us - LOST URL

http://lin.cr/qwi

http://linxfix.de/y8zi7 - MANY URLS FOR SAME LINK POSSIBLE
http://liteurl.net - LOST URL

http://litturl.com/5e5

http://LNK.by/cVr

http://lnk.in - ACCOUNT NEEDED
http://lnkurl.com - LOST URL

http://lurl.no/hu

http://memurl.com/ - php error
   -  working on the system to prevent spammers - nice  

http://xrl.us/bex9nh

http://micurl.com/i60p5j

http://migre.me/2Mdt

http://miklos.dk/!DpLrci

http://min2.me/4w

http://minilien.com/?KSFQfl5fB3

http://minurl.fr/nw8

http://minurl.org - SITE UNAVAILABLE (404)

http://moourl.com/m5vj8

http://muhlink.com - LOST URL

http://myurl.in/aVuHU

http://myurl.us - timeout
http://nanoref.com - ACCOUNT NEEDED

http://ndurl.com/6J

http://ne1.net - ACCOUNT NEEDED

http://faingai.notlong.com

http://nutshellurl.com/9i1

http://ow.ly/fLK1

http://pendek.in/007na

http://pic.gd/acf852

http://www.piurl.com/1lSq

http://plexp.com - LOST URL
http://plurl.me - NO ROUTE TO HOST

http://pnt.me/qIMJEs

http://poprl.com - TIMEOUT

http://pt2.me/2e

http://Puke.It/mvwm3p

http://qurl.com/v16ht

http://qurlyq.com/4l7

http://rde.me/lw

http://redir.ec/bDDv

http://redirx.com/?sdsn

http://r.im/1t17

http://rnk.me/ku

http://rubyurl.com/92DZ

http://safe.mn/8V

http://sai.ly/lQX

http://sfu.ca - timeout

http://shorl.com/sufebytuvode

http://shorterlink.com/?U1T92G

http://short.ie/bgwybm

http://shortlinks.co.uk/l5j

http://shortn.me/Ae

http://short.to/heur

http://alturl.com/mnhg

http://shrinklink.co.uk - NOT WORKING
http://shrinkr.com - TIMEOUT

http://shrtn.com/6

http://shrtnd.com - LOST URL

http://shrt.st/5ik

http://shurl.net - down
     - (Sorry, we're down for now. The link
         you followed most likely linked to a
         virus anyway)

http://shrt.st/5ik

http://simurl.com/huccut

http://smallr.com/a6p

http://smallr.net/ - YEAH blocked the above url!
http://smallr.net/5y6 - shortened http://shrt.st/5ik
http://smarturl.eu - EMPTY SITE

http://smfu.in/736491

http://snipr.com/kt2jp

http://sn.vc/1LUQ

http://song.ly/l/1djtku

http://srnk.net/p9NsG

http://starturl.com/evwer

http://su.pr - ACCOUNT NEEDED

http://surl.co.uk/?8840

http://tighturl.com - YEAH is blocking other shorteners!

http://www.timesurl.at/2ddada

http://tini.us - DB ERROR

http://tiny123.com/0vd

http://tiny.cc/uttcx

http://tinylink.com/?TD5EWc1gsF

http://tinyurl.com/mzob3o

http://tobtr.com - LOST URL
http://to.vg/iq - blocked tinyurl,
     accepted http://tinylink.com/?TD5EWc1gsF
http://traceurl.com - ACCOUNT NEEDED

http://tr.im/pDAV

http://twurl.nl/whwpyp

http://twip.us/tw3zb9

http://twirl.at/wi

http://twitpwr.com - twitter ACCOUNT NEEDED
http://twitthis.com - twitter ACCOUNT NEEDED

http://tw6.us/iy

http://uiop.me/A8

http://u.mavrev.com/dvpg

http://unfaker.it - LOST URL

http://u.nu/6cie

http://ur1.ca/688n

http://url9.com/za

http://urlborg.com - google ACCOUNT NEEDED

http://urlbrief.com/63ba41

http://url.co.uk/7m860

http://urlcover.com/edr

http://urlcut.com/1rqbk

http://urlcutter.com - NO ROUTE TO HOST

http://urlhawk.com/fxp

http://url.ie/1wwo

http://url.lotpatrol.com/?x=3298

http://urlsmash.com - LOST URL
http://urltea.com - SITE UNAVAILABLE (404)

http://urlvi.be/mbuhu

http://ur.ly/yds

http://urlzen.com/knr

http://virl.com/8d045

http://vl.am/I23

http://vtc.es/cBx

http://w3t.org/90b3b

http://wapurl.co.uk/?G21FSRW

http://wlink.us//2fx

http://www.canurl.com - LOST URL
http://www.digbig.com - ACCOUNT NEEDED

http://dwarfurl.com/7ddf0

http://www.ezurl.eu - SITE UNAVAILABLE (404)

http://fly2.ws/e-ZoUuY

http://www.shortenurl.com - LOST URL

http://alturl.com/o2a6

http://shredurl.com/XL

http://www.urlpire.com/?QFBGK

http://www.x.se/vbg9

http://x.vu/1695

http://zi.ma - NO ROUTE TO HOST

http://zz.gd/6d3160

http://nic6g.th8.us

i would not recommend visiting all these links! this can take a LONG time. although it is interesting to see what different shorteners do. some just grab the long url from the database and redirect you (0.2 seconds), some add a frame (gets really ugly with a lot of shorteners in a row ), some need confirmation to proceed and some just wait 10 seconds before they do something.

this nice little experiment showed me how little these service providers care about security. i’m curious if this is going to change. maybe just with the more popular services.