Live Science Plus
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Delivered Daily
Daily Newsletter
Sign up for the latest discoveries, groundbreaking research and fascinating breakthroughs that impact you and the wider world direct to your inbox.
Once a week
Life's Little Mysteries
Feed your curiosity with an exclusive mystery every week, solved with science and delivered direct to your inbox before it's seen anywhere else.
Once a week
How It Works
Sign up to our free science & technology newsletter for your weekly fix of fascinating articles, quick quizzes, amazing images, and more
Delivered daily
Space.com Newsletter
Breaking space news, the latest updates on rocket launches, skywatching events and more!
Once a month
Watch This Space
Sign up to our monthly entertainment newsletter to keep up with all our coverage of the latest sci-fi and space movies, tv shows, games and books.
Once a week
Night Sky This Week
Discover this week's must-see night sky events, moon phases, and stunning astrophotos. Sign up for our skywatching newsletter and explore the universe with us!
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
To raise awareness of the extensive cybersecurity dangers posed by shortened URLs, a college student studying computer science has created his own URL shortening service that doubles as a weapon for issuing distributed denial-of-service attacks (DDoS).
Ben Schmidt, a student at the University of Tulsa, created a program called d0z.me, which he dubbed "The Evil URL Shortener." On his blog, spareclockcycles.org, Schmidt explains that the evil shortener takes advantage of users’ inherent willingness to trust links sent by their friends, as well as social media’s quick and far-reaching tentacles, to serve its purpose.
"The concept is quite simple, really," Schmidt wrote. "Attackers go to d0z.me and enter a link they think could be popular/want to share, but also enter the address of a server they would like to attack as well. Then, they share this text with as many people as possible, in as many places as possible. Extensive use of social media sites is probably a must [to] achieve the best results."
When users click on the shortened URL created by d0z.me, an embedded iframe — part of an HTML document — opens with the shortened links, while a malicious piece of Javascript software “runs in the background, hammering the targeted server with a deluge of requests from these unsuspecting clients.” The onslaught of requests continues as long as a user’s iframe remains open.
Schmidt wrote that he is concerned that the proliferation of shortened URLs, especially on social networking sites such as Twitter and Facebook, are leaving people with a "false sense of security" that the shortened URLs will actually take people to the places they are supposed to.
"A malicious shortener could essentially take you anywhere it pleased, and the user would be none the wiser," he wrote.
George Smith, senior fellow with GlobalSecurity.org, agrees with Schmidt's assertion that shortened links could spell trouble for unsuspecting users. "Anything that hides where you are actually going creates such a hazard," Smith told SecurityNewsDaily.
Schmidt insists he didn’t create d0z.me with malice in mind, but rather as a proof-of-concept to illuminate the danger people face when clicking on shortened links, even ones sent by friends and colleagues.
"This site is NOT meant to be an attack site, or to help support either side in the whole WikiLeaks debacle," he wrote. "I don’t want any part in the current cyber skirmishes. It is merely a demonstration of some things that I found interesting and wanted to work on."
And while URLS and the programs that shorten them may become more secure over time, there's little hope that denial-of-service attacks are going anywhere, even when WikiLeaks is a blip in the past.
"They'll always be with us," Smith told SecurityNewsDaily.
