Project Shows Danger of URL Shorteners

Credit: Darren Hester/MorgueFile (Image credit: Darren Hester/MorgueFile)

To raise awareness of the extensive cybersecurity dangers posed by shortened URLs, a college student studying computer science has created his own URL shortening service that doubles as a weapon for issuing distributed denial-of-service attacks (DDoS).

Ben Schmidt, a student at the University of Tulsa, created a program called d0z.me, which he dubbed "The Evil URL Shortener." On his blog, spareclockcycles.org, Schmidt explains that the evil shortener takes advantage of users’ inherent willingness to trust links sent by their friends, as well as social media’s quick and far-reaching tentacles, to serve its purpose.

"The concept is quite simple, really," Schmidt wrote. "Attackers go to d0z.me and enter a link they think could be popular/want to share, but also enter the address of a server they would like to attack as well. Then, they share this text with as many people as possible, in as many places as possible. Extensive use of social media sites is probably a must [to] achieve the best results."

When users click on the shortened URL created by d0z.me, an embedded iframe — part of an HTML document — opens with the shortened links, while a malicious piece of Javascript software “runs in the background, hammering the targeted server with a deluge of requests from these unsuspecting clients.” The onslaught of requests continues as long as a user’s iframe remains open.

Schmidt wrote that he is concerned that the proliferation of shortened URLs, especially on social networking sites such as Twitter and Facebook, are leaving people with a "false sense of security" that the shortened URLs will actually take people to the places they are supposed to.

"A malicious shortener could essentially take you anywhere it pleased, and the user would be none the wiser," he wrote.

George Smith, senior fellow with GlobalSecurity.org, agrees with Schmidt's assertion that shortened links could spell trouble for unsuspecting users. "Anything that hides where you are actually going creates such a hazard," Smith told SecurityNewsDaily.

Schmidt insists he didn’t create d0z.me with malice in mind, but rather as a proof-of-concept to illuminate the danger people face when clicking on shortened links, even ones sent by friends and colleagues.

"This site is NOT meant to be an attack site, or to help support either side in the whole WikiLeaks debacle," he wrote. "I don’t want any part in the current cyber skirmishes. It is merely a demonstration of some things that I found interesting and wanted to work on."

And while URLS and the programs that shorten them may become more secure over time, there's little hope that denial-of-service attacks are going anywhere, even when WikiLeaks is a blip in the past.

"They'll always be with us," Smith told SecurityNewsDaily.