[Ipg-smz] The use of URL Shorteners violates security principles

Tom Henderson thenderson at extremelabs.com
Mon Oct 8 16:16:59 UTC 2018


I do them. Unless you want to go far, far into the weeds, this is not a 
fun story to research. Trust me on this. I use VMs to test some of 
them..... and have had to crater the instances on numerous occasions. 
This is a grad student thesis.

Tom



On 10/08/2018 12:09 PM, Dana Blankenhorn wrote:
> Great story for someone on the list who does security stories. <ahem>
>
> On Mon, Oct 8, 2018 at 12:05 PM Tom Henderson 
> <thenderson at extremelabs.com <mailto:thenderson at extremelabs.com>> wrote:
>
>     Fellow Guilders,
>
>     I can give you a long list of ow.ly <http://ow.ly> shortened URLs
>     that will give you a
>     malware dose the size of Cincinnati.
>
>     ONE SINGLE MISTYPED character will send a user into plain hell.
>
>     bit.ly <http://bit.ly>, direc.it <http://direc.it>, and many other
>     URL shorteners are similarly infected.
>
>     May I strongly suggest not using them, please. Yes, your URL is
>     probably
>     fine, but a single mistyped character can be explosive.
>
>     THESE ORGANIZATIONS DO NOT SCAN TARGETS FOR MALWARE or URL target
>     integrity.
>
>     Please please please reconsider their use and use the long URL. I
>     have
>     been using a highly-sandboxed instance to extract the URL and re-post
>     them on places like twitter, but this is getting old.
>
>     I can't give you the ones with malware, because you'll get
>     infected or
>     your own anti-malware software will trigger (hopefully).
>
>     I'm not kidding, please reconsider using them and the
>     don't-give-a-hootsuite-type apps that generate them.
>
>     These organizations do not respond to URL takedown requests.
>
>     Thanks,
>
>     Tom
>
>
>     -- 
>     Tom Henderson
>     ExtremeLabs, Inc.
>     +1 317 250 4646 <tel:+1%20317-250-4646>
>     Twitter: @extremelabs
>     Skype: extremelabsinc
>
>
>     -- 
>     Ipg-smz mailing list
>     Ipg-smz at netpress.org <mailto:Ipg-smz at netpress.org>
>     http://netpress.org/mailman/listinfo/ipg-smz_netpress.org
>
> -- 
> Dana Blankenhorn
> http://www.danablankenhorn.com
> http://investorplace.com/author/danablankenhorn/#.WJzBOzsrLIV
>
>

-- 
Tom Henderson
ExtremeLabs, Inc.
+1 317 250 4646
Twitter: @extremelabs
Skype: extremelabsinc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://netpress.org/pipermail/ipg-smz_netpress.org/attachments/20181008/3e6c9c93/attachment.html>


More information about the Ipg-smz mailing list