TinyURL Being Used to Bypass Safe Browsing Filters in Firefox, Chrome
TinyURL, one of the most popular URL-shortening services (although not our favorite) is now being used by cybercriminals to redirect web surfers to pages that contain viruses, trojans, and other sorts of malware. According to Finjan's Malicious Code Research Center, these criminals are using the service to avoid having their web sites flagged by the Safe Browsing mechanisms built in to modern web browsers like Mozilla Firefox and Google Chrome.
Both web browsers employ Google Safe Browsing, a feature which warns users about phishing sites and other malware. Yet bypassing this filter within your browser is easy to do, apparently. All that's necessary is for a cybercriminal to create a TinyURL that hides the original, malicious URL. Then, instead of getting the warning message "Reported Attack Site!", unsuspecting web surfers will be sent directly to the dangerous web page when clicking the link.
In tests, the reason that the TinyURLs were able to be used in this way is because the pages they masked were not at the domain level, but were rather sub-pages of a domain marked as "safe." This actually points to a weakness in the Safe Browsing feature and not really a security risk in the TinyURL service in and of itself. Because Safe Browsing only ranks sites at the domain level, infected sub-pages will always be ranked as "non-malicious" as long as the domain is categorized as "safe."
TinyURL isn't the only service being abused in this way. Other URL-shortening services mentioned in the article include bit.ly, w3t.org and is.gd. However, during their research, the firm also found bit.ly being used by the same cybercriminals. Both TinyURL and bit.ly were notified and the malicious links were removed.
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
http://tinyurl.com/preview.php
:)
It seems to work just fine for me in Opera and Firefox.
Here's a tinyurl to a known phishing site to test your browser: http://tinyurl.com/bvkd85
Cafe Panera, a popular North-American eatery known for its fresh baked goods (and free WiFi access) blocks TinyURL.com apparently for this exact reason.
Curiously, other URL shortening services appear to work under certain circumstances, however. This has serious implications on how 'net access is used in establishments like Panera. If you can't retweet using a shortening service, you probably won't use Twitter -- or any of several other services at all. And, if you're limited in what you can do at such establishments, your incentive to patronize them is diminished. Potential solutions?
@Michael As in Panera Bread? Wow, I wasn't aware of that. (Although I tend to hang out at Starbucks). Potential solutions are needed indeed!
The simplest solution I can think of is to have the browser warn the user when a page tries to redirect to another domain.
I want chrome on Linux...
Haha, that is great. Another blow to the face of URL shorteners, which are one of the worst ideas ever, from a technical standpoint.
I am shocked to hear that bit.ly is vulnerable to this as well -- they process URLs through google's malware service and shouldn't have this issue.
The research is flawed. The SafeBrowsing service checks the full URL against the database, and checks the URL of the resource being loaded, not the reference. This way any redirects - caused by server side redirects, shorteners like TinyURL or otherwise - cannot defeat the service.
See https://bugzilla.mozilla.org/show_bug.cgi?id=475436 which was opened based on this article and quickly resolved as invalid.
(It's possible that the research was run on Firefox 2, which is no longer supported and has a different SafeBrowsing implementation.)
I think some of these issues have already been solved. Regardless, the fact malware detectors etc. are only at the domain level is not too comforting. URL shortners never appealed to me much. Just check this security site to stay up to date.