Thursday, January 6, 2011

Shortened URLs Unmasked

Twitter users in particular are bombarded daily with a plethora of shortened URLs. Shortened URLs are especially useful on Twitter because really long URLs like http://netscantools.blogspot.com/2011/01/addressing-confusion.html are tough to fit into 140 characters and somehow retain a meaningful message. Those long URLs can be shortened up into something like http://tinyurl.com/37dnopw. While convenient, they do present a security risk. Not only can a URL to an informative article be shortened, but so can a URL to a page full of malware be hidden by the shortened URL. How can you know where that URL goes?

The methodology of shortened URLs is fairly straightforward. When you access the shortened URL, the shortened URL provider's web server sends back a HTTP 301 Moved Permanently message with the new location URL. You can clearly see it in the two examples below - I used NetScanTools Pro's URL Capture to grab the text. Your web browser will not show these hidden headers and it will act on them before you have a chance to think about the final target URL. That's why I used the tool in NetScanTools Pro - it grabs only the text and does not accept anything else like scripts or images.

This first methodology used by tinyurl.com is the simplest. It only sends back the 301 redirect message.

Starting Timestamp: 01/06/11 22:06:18
Input URL: http://tinyurl.com/37dnopw
Web server IPv4 address: 195.66.135.140
***###Received Web Page text begins after this line###***
HTTP/1.0 301 Moved Permanently
Location: http://netscantools.blogspot.com/2011/01/addressing-confusion.html
X-tiny: cache 0.00097513198852539
Content-type: text/html
Content-Length: 0
Connection: close
Date: Fri, 07 Jan 2011 06:05:40 GMT
Server: TinyURL/1.6

The next methodology used by the bit.ly URL shortening service is a bit more involved. Not only does it send back the HTTP 301 moved message, but they also provide a web page with the embedded redirected target link just in case the web browser does not follow the 301 command.


Starting Timestamp: 01/06/11 22:06:40
Input URL: http://bit.ly/i9TxQY
Web server IPv4 address: 128.121.254.205
***###Received Web Page text begins after this line###***
HTTP/1.1 301 Moved
Server: nginx/0.7.67
Date: Fri, 07 Jan 2011 06:06:01 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Set-Cookie: _bit=4d26ad49-003c1-00673-b3a08fa8;domain=.bit.ly;expires=Wed Jul 6 02:06:01 2011;path=/; HttpOnly
Cache-control: private; max-age=90
Location: http://www.us-cert.gov/current/index.html#apple_releases_mac_os_x4
MIME-Version: 1.0
Content-Length: 328

...web page omitted...

There are plugins for Firefox and other browsers which do that first step of contacting the URL shortening server, then they present the final target to you - and it's your decision as to whether to continue. I have showed the mechanism and how to use our software to see this. Not only is this text only URL capture tool in NetScanTools Pro, it is also in NetScanTools LE (law enforcement).

Be careful!

No comments: