Comments for TinyURL Being Used to Bypass Safe Browsing Filters in Firefox, Chrome

TinyURL Being Used to Bypass Safe Browsing Filters in Firefox, Chrome

2009-01-26T13:49:37Z

TinyURL, one of the most popular URL-shortening services (although not our favorite) is now being used by cybercriminals to redirect web surfers to pages that contain viruses, trojans, and other sorts of malware. According to Finjan's Malicious Code Research Center, these criminals are using the service to avoid having their web sites flagged by the Safe Browsing mechanisms built in to modern web browsers like Mozilla Firefox and Google Chrome.

]]> Both web browsers employ Google Safe Browsing, a feature which warns users about phishing sites and other malware. Yet bypassing this filter within your browser is easy to do, apparently. All that's necessary is for a cybercriminal to create a TinyURL that hides the original, malicious URL. Then, instead of getting the warning message "Reported Attack Site!", unsuspecting web surfers will be sent directly to the dangerous web page when clicking the link.

In tests, the reason that the TinyURLs were able to be used in this way is because the pages they masked were not at the domain level, but were rather sub-pages of a domain marked as "safe." This actually points to a weakness in the Safe Browsing feature and not really a security risk in the TinyURL service in and of itself. Because Safe Browsing only ranks sites at the domain level, infected sub-pages will always be ranked as "non-malicious" as long as the domain is categorized as "safe."

TinyURL isn't the only service being abused in this way. Other URL-shortening services mentioned in the article include bit.ly, w3t.org and is.gd. However, during their research, the firm also found bit.ly being used by the same cybercriminals. Both TinyURL and bit.ly were notified and the malicious links were removed.

Comment from altın çilek on 2011-03-01

2011-03-01T10:34:00Z

URL shortners never appealed to me much. Just check this security site to stay up to date.

Comment from Steve on 2009-01-28

2009-01-29T05:44:39Z

I think some of these issues have already been solved. Regardless, the fact malware detectors etc. are only at the domain level is not too comforting. URL shortners never appealed to me much. Just check this security site to stay up to date.

Comment from Mike Beltzner on 2009-01-26

2009-01-27T01:05:21Z

(It's possible that the research was run on Firefox 2, which is no longer supported and has a different SafeBrowsing implementation.)

Comment from Mike Beltzner on 2009-01-26

2009-01-26T23:57:11Z

The research is flawed. The SafeBrowsing service checks the full URL against the database, and checks the URL of the resource being loaded, not the reference. This way any redirects - caused by server side redirects, shorteners like TinyURL or otherwise - cannot defeat the service.

See https://bugzilla.mozilla.org/show_bug.cgi?id=475436 which was opened based on this article and quickly resolved as invalid.

Comment from John Adams on 2009-01-26

2009-01-26T22:08:47Z

I am shocked to hear that bit.ly is vulnerable to this as well -- they process URLs through google's malware service and shouldn't have this issue.

Comment from Jean-Michel Decombe on 2009-01-26

2009-01-26T17:25:49Z

Haha, that is great. Another blow to the face of URL shorteners, which are one of the worst ideas ever, from a technical standpoint.

Comment from Łukasz on 2009-01-26

2009-01-26T16:16:18Z

I want chrome on Linux...

Comment from MKR on 2009-01-26

2009-01-26T15:34:28Z

The simplest solution I can think of is to have the browser warn the user when a page tries to redirect to another domain.

Comment from Sarah Perez on 2009-01-26

2009-01-26T15:14:15Z

@Michael As in Panera Bread? Wow, I wasn't aware of that. (Although I tend to hang out at Starbucks). Potential solutions are needed indeed!

Comment from Michael Russell - @planetrussell on 2009-01-26

2009-01-26T15:08:29Z

Cafe Panera, a popular North-American eatery known for its fresh baked goods (and free WiFi access) blocks TinyURL.com apparently for this exact reason.

Curiously, other URL shortening services appear to work under certain circumstances, however. This has serious implications on how 'net access is used in establishments like Panera. If you can't retweet using a shortening service, you probably won't use Twitter -- or any of several other services at all. And, if you're limited in what you can do at such establishments, your incentive to patronize them is diminished. Potential solutions?

Comment from David Bloom on 2009-01-26

2009-01-26T14:53:23Z

It seems to work just fine for me in Opera and Firefox.

Here's a tinyurl to a known phishing site to test your browser: http://tinyurl.com/bvkd85

Comment from MKR on 2009-01-26

2009-01-26T14:34:37Z

http://tinyurl.com/preview.php