Cligs short url service hacked, millions redirected

Cligs logo
URL shortening services like TinyURL, bit.ly and is.gd have increasingly become part of many computer users’ everyday lives in the last year or so, with the surge in popularity of micro-blogging websites like Twitter.

The services allow you to shorten a long url like

https://www.sophos.com/blogs/gc/g/2009/02/18/neat-add-on-twitter/

to something much snappier like

http://tinyurl.com/c27gqd.

That’s important if you need to make your point in 140 characters or less.

On Sunday, one such URL shortening service, Cligs, was hacked redirecting millions of cli.gs links to a story about Twitter hashtags by blogger Kevin Sablan of the Orange County Register (hosted at freedomblogging.com).

Sablan noticed the unexpected rise in traffic on Monday morning, and responded to a message from a redirected internet user:

Blogger Kevin Sablan comments on his blog about his unexpected traffic

Subsequently, Sablan (who is not believed to have been involved in the hack) blogged about the experience of having 2.2 million links temporarily pointing at his blog post.

Sign up to our free newsletter.
Security news, advice, and tips.

Cligs was recently ranked as the fourth most popular URL shortening service on Twitter. Although its popularity is dwarfed by the likes of bit.ly and tinyurl it is still being used by a substantial number of people – so you can imagine the disruption that can be caused if links no longer go where they were intended.

A statement on the Cligs website suggests that a security vulnerability in its edit functionality allowed a malicious hacker to change the destination of millions of shortened urls.

Statement from Cligs about hack

Cligs’s disaster recovery plan is hampered somewhat by the admission that it hasn’t been getting daily backups since early May. Whoops.

It’s clear, though, that this hack could have been much worse. It’s not yet apparent what the intentions were of the hackers, but they could have just as easily redirected millions of shortened urls to a website hosting malware. That’s one of the reasons why it can be helpful to run a plug-in that will expand shortened urls before you click on them.

As an aside, we frequently see spammers abusing shortened url services to try and make life harder for anti-spam filters trying to determine if a link is going somewhere unsavoury.

Here’s an example of a spam campaign we saw today which uses a Cligs shortened url to try to sell bulk-mailing software:

Spam email using Cligs shortened url


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.