(No Ratings Yet)
Loading ...Michael Kassner has written a piece on TechRepublic about the security risks of URL shortening. Whilst it has one or two valid points, it also has more technical holes than a gamers PC case.
URL-shortening services such as TinyURL and Bit.ly are becoming popular attack vectors. You may not want to automatically click on the shortened URL after you read this.Â
Ok, that bit’s write, but then it starts to go south. Michael says:
- Allow spammers to side step spam filters as domain names like TinyURL are automatically trusted.
Well, yes and no. The shortened URL may get through your firewall, but it redirects to the real URL, so that has to get through your firewall as well. No extra security risk there.
- Prevent educated users from checking for suspect URLs by obfuscating the actual Web-site URL.
It does, but so does the HTML in fishing emails. There are plugins, for example for Firefox, which will show more about the URL before you go to the site. Also, some of the services allow you to turn on a preview function (see TinyURL’s version of this feature). Michael even mentions this in his piece.
Seeing an obfuscated tiny URL in an email should make a user suspicious, just as any other should. If anything, it makes the email look more suspicious.
- Redirect users to phishing sites in order to capture sensitive personal information.
Again, yes and no. This is true, but this isn’t an additional vector for phishing folks to use that is beyond any of their existing methods.
- Redirect users to malicious sites loaded with drive-by droppers, just waiting to download malware.
That’s all a bit ’sky is falling’. Malicious emails or other websites could just as easily do this. Your standard anti-malware measures aren’t weakened in anyway.Â
Add Your Comment