loops and stretching with urlshorteners…

there has been some discussion (via @mstrohm) on the security of urlshorteners and i have been thinking about this the past days.

putting the problem of the bottle neck aside it leaves us with the possibility of spamming and/or loops and missing transparency when looking at urlshortening services. let’s say the advantage of shortening urls has to compensate one of the disadvantages; let’s take the bottle neck. it’s clear that one cannot shorten a url and expect the link to be independent or maybe distributed like DNS at the same time.

still there are 3 problems which have to be solved:

spamming: there are concepts which we know from mail services that can narrow this issue down. is.gd uses the surbl blacklisting service to check for spams. with a little fine tuning this is manageable.

loops: similar to the spamming problem, there must be a blocklist of sites that are not accepted for shortening. qr.cx already implements a list of about 200 services that are blocked from shortening. is.gd is saying so too, although they accepted qr.cx links and others at the time of writing. this is really easy to implement and should be done by every shortening service.

transparency: the problem here is that users cannot see where they are going when clicking a shortlink. the solution is again very easy to implement. tinyurl implements it by putting ‘preview’ as subdomain http://preview.tinyurl.com/m5l96j and qr.cx by putting ‘/get’ behind the shortlink: http://qr.cx/1r8/get.

curious as i am i decided to make a little experiment. i tried to make an extra long urlshortener chain. i started with a twitter post which i shortened with qr.cx. so far so good. i went over to bit.ly and shortened that link, then 1link.in, 2su.de, 3.ly, 6url.com, 9mp.com, adjix.com, and so on. see the complete list below.

interestingly there were a lot of services on my list that didn’t exist any more (LOST URL (domain grabber), TIMEOUT, NO ROUTE TO HOST (server down)). others ‘shortened’ links that were actually shorter before (very useful)!!!

useful_shorteners

just one service did delete my spam attempt in the 12 hours since i linked all these shorteners. just about 2 blocked other urlshorteners from beeing shortened.

every service did shorten the link above it (except when noted otherwise):


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
tweet on twitter
http://twitter.com/flowolf/status/2312852042
http://qr.cx/8bm
http://bit.ly/1o4Rd
http://1link.in/zzvso
http://2su.de/d7
http://3.ly/2rr
http://4url.cc/ - TIMEOUT AT CREATION
http://www.6url.com/0ZHZ
http://9mp.com/zrEhS
http://a2n.eu - LOST URL
http://adjix.com/7ftd
http://a.gd/132bec
http://a.nf/dff3f1
http://arm.in/48J
http://b65.us - LOST URL
http://bit.ly/eKnP0
http://bloat.me/2Ax3
http://budurl.com/wghk
http://buk.me - LOST URL
http://burnurl.com/dp592p
http://canurl.com/ - LOST URL
http://chilp.it/?20c705
http://chod.sk/abxb8
http://cli.gs/BYZShQ
http://clop.in/HghGAA
http://clop.decenturl.com/asdf
http://doiop.com/m2m87j
http://dwarfurl.com/77751
http://easyuri.com/28af
http://easyurl.net/74612
http://fhurl.com/c10859
http://fly2.ws/a9q1MJ6
http://fon.gs/oblw5o/
http://foxyurl.com/7h4
http://fwd4.me/n96
http://fwdurl.net - LOST URL
http://g4.ms/62986f
http://g8l.us - suspended for spam
http://get-shorty.com/shorty/g4/
http://gonext.org - LOST URL
http://good.ly/g7i54l
http://gurl.es/dIQ
http://hex.io/16xq
http://idek.net/GXj
http://ilix.in/0dba2
http://is.gd/1cgO3
http://ix.it - LOST URL
http://j2j.de/tEM65G
http://jdem.cz/bnbk4
http://jijr.com/ - TIMEOUT AT CREATION
http://kisa.ch/9g54
http://kl.am/X5o
http://kore.us/mXiJ0j
http://kots.nu/2qq2da
http://krz.ch/60466
http://kurl.us - LOST URL
http://lin.cr/qwi
http://linxfix.de/y8zi7 - MANY URLS FOR SAME LINK POSSIBLE
http://liteurl.net - LOST URL
http://litturl.com/5e5
http://LNK.by/cVr
http://lnk.in - ACCOUNT NEEDED
http://lnkurl.com - LOST URL
http://lurl.no/hu
http://memurl.com/ - php error
   -  working on the system to prevent spammers - nice :)
http://xrl.us/bex9nh
http://micurl.com/i60p5j
http://migre.me/2Mdt
http://miklos.dk/!DpLrci
http://min2.me/4w
http://minilien.com/?KSFQfl5fB3
http://minurl.fr/nw8
http://minurl.org - SITE UNAVAILABLE (404)
http://moourl.com/m5vj8
http://muhlink.com - LOST URL
http://myurl.in/aVuHU
http://myurl.us - timeout
http://nanoref.com - ACCOUNT NEEDED
http://ndurl.com/6J
http://ne1.net - ACCOUNT NEEDED
http://faingai.notlong.com
http://nutshellurl.com/9i1
http://ow.ly/fLK1
http://pendek.in/007na
http://pic.gd/acf852
http://www.piurl.com/1lSq
http://plexp.com - LOST URL
http://plurl.me - NO ROUTE TO HOST
http://pnt.me/qIMJEs
http://poprl.com - TIMEOUT
http://pt2.me/2e
http://Puke.It/mvwm3p
http://qurl.com/v16ht
http://qurlyq.com/4l7
http://rde.me/lw
http://redir.ec/bDDv
http://redirx.com/?sdsn
http://r.im/1t17
http://rnk.me/ku
http://rubyurl.com/92DZ
http://safe.mn/8V
http://sai.ly/lQX
http://sfu.ca - timeout
http://shorl.com/sufebytuvode
http://shorterlink.com/?U1T92G
http://short.ie/bgwybm
http://shortlinks.co.uk/l5j
http://shortn.me/Ae
http://short.to/heur
http://alturl.com/mnhg
http://shrinklink.co.uk - NOT WORKING
http://shrinkr.com - TIMEOUT
http://shrtn.com/6
http://shrtnd.com - LOST URL
http://shrt.st/5ik
http://shurl.net - down
     - (Sorry, we're down for now. The link
         you followed most likely linked to a
         virus anyway)
http://shrt.st/5ik
http://simurl.com/huccut
http://smallr.com/a6p
http://smallr.net/ - YEAH blocked the above url!
http://smallr.net/5y6 - shortened http://shrt.st/5ik
http://smarturl.eu - EMPTY SITE
http://smfu.in/736491
http://snipr.com/kt2jp
http://sn.vc/1LUQ
http://song.ly/l/1djtku
http://srnk.net/p9NsG
http://starturl.com/evwer
http://su.pr - ACCOUNT NEEDED
http://surl.co.uk/?8840
http://tighturl.com - YEAH is blocking other shorteners!
http://www.timesurl.at/2ddada
http://tini.us - DB ERROR
http://tiny123.com/0vd
http://tiny.cc/uttcx
http://tinylink.com/?TD5EWc1gsF
http://tinyurl.com/mzob3o
http://tobtr.com - LOST URL
http://to.vg/iq - blocked tinyurl,
     accepted http://tinylink.com/?TD5EWc1gsF
http://traceurl.com - ACCOUNT NEEDED
http://tr.im/pDAV
http://twurl.nl/whwpyp
http://twip.us/tw3zb9
http://twirl.at/wi
http://twitpwr.com - twitter ACCOUNT NEEDED
http://twitthis.com - twitter ACCOUNT NEEDED
http://tw6.us/iy
http://uiop.me/A8
http://u.mavrev.com/dvpg
http://unfaker.it - LOST URL
http://u.nu/6cie
http://ur1.ca/688n
http://url9.com/za
http://urlborg.com - google ACCOUNT NEEDED
http://urlbrief.com/63ba41
http://url.co.uk/7m860
http://urlcover.com/edr
http://urlcut.com/1rqbk
http://urlcutter.com - NO ROUTE TO HOST
http://urlhawk.com/fxp
http://url.ie/1wwo
http://url.lotpatrol.com/?x=3298
http://urlsmash.com - LOST URL
http://urltea.com - SITE UNAVAILABLE (404)
http://urlvi.be/mbuhu
http://ur.ly/yds
http://urlzen.com/knr
http://virl.com/8d045
http://vl.am/I23
http://vtc.es/cBx
http://w3t.org/90b3b
http://wapurl.co.uk/?G21FSRW
http://wlink.us//2fx
http://www.canurl.com - LOST URL
http://www.digbig.com - ACCOUNT NEEDED
http://dwarfurl.com/7ddf0
http://www.ezurl.eu - SITE UNAVAILABLE (404)
http://fly2.ws/e-ZoUuY
http://www.shortenurl.com - LOST URL
http://alturl.com/o2a6
http://shredurl.com/XL
http://www.urlpire.com/?QFBGK
http://www.x.se/vbg9
http://x.vu/1695
http://zi.ma - NO ROUTE TO HOST
http://zz.gd/6d3160
http://nic6g.th8.us

i would not recommend visiting all these links! this can take a LONG time. although it is interesting to see what different shorteners do. some just grab the long url from the database and redirect you (0.2 seconds), some add a frame (gets really ugly with a lot of shorteners in a row 😉 ), some need confirmation to proceed and some just wait 10 seconds before they do something.

this nice little experiment showed me how little these service providers care about security. i’m curious if this is going to change. maybe just with the more popular services.

2 thoughts on “loops and stretching with urlshorteners…”

  1. I’m the creator of Safe.mn. You have a good point. Safe.mn always redirect the user to the final URL if there are less than 5 redirections. Now, if there are more than 5 redirections, it will display a warning to the visitor. You can check the link http://safe.mn/8V again, or try with a new URL.

    As for spamming, we do extensive security checks, not just on the URL, but on the content as well.

    For transparency, you can add /i at the end of the URL to get all the data about the small link. You can also download the dump of all shorten links at ftp://safe.mn/

  2. I’m the developer/owner of surl.co.uk, and wanted to thank you for mentioning this. I’ve modified the sURL service to prevent this, and would welcome your testing to verify the routines I’ve put in place are sufficient (I’ve done limited testing, but verification is always welcome)

Comments are closed.