URL shortening services like TinyURL, bit.ly and is.gd have increasingly become part of many computer users’ everyday lives in the last year or so, with the surge in popularity of micro-blogging websites like Twitter.
The services allow you to shorten a long url like
https://www.sophos.com/blogs/gc/g/2009/02/18/neat-add-on-twitter/
to something much snappier like
http://tinyurl.com/c27gqd.
That’s important if you need to make your point in 140 characters or less.
On Sunday, one such URL shortening service, Cligs, was hacked redirecting millions of cli.gs links to a story about Twitter hashtags by blogger Kevin Sablan of the Orange County Register (hosted at freedomblogging.com).
Sablan noticed the unexpected rise in traffic on Monday morning, and responded to a message from a redirected internet user:
Subsequently, Sablan (who is not believed to have been involved in the hack) blogged about the experience of having 2.2 million links temporarily pointing at his blog post.
Cligs was recently ranked as the fourth most popular URL shortening service on Twitter. Although its popularity is dwarfed by the likes of bit.ly and tinyurl it is still being used by a substantial number of people – so you can imagine the disruption that can be caused if links no longer go where they were intended.
A statement on the Cligs website suggests that a security vulnerability in its edit functionality allowed a malicious hacker to change the destination of millions of shortened urls.
Cligs’s disaster recovery plan is hampered somewhat by the admission that it hasn’t been getting daily backups since early May. Whoops.
It’s clear, though, that this hack could have been much worse. It’s not yet apparent what the intentions were of the hackers, but they could have just as easily redirected millions of shortened urls to a website hosting malware. That’s one of the reasons why it can be helpful to run a plug-in that will expand shortened urls before you click on them.
As an aside, we frequently see spammers abusing shortened url services to try and make life harder for anti-spam filters trying to determine if a link is going somewhere unsavoury.
Here’s an example of a spam campaign we saw today which uses a Cligs shortened url to try to sell bulk-mailing software: