16 Jun 2009
Popular short URL service hacked and millions redirected
Cligs service suffers from hack attack
IT security and control firm Sophos is advising computer users
to be wary of shortened URLs and to consider running a plug-in that
will expand links before clicking on them. The warning follows news
that Cligs, recently ranked as the fourth most popular URL
shortening service on Twitter, has been hacked and on Sunday was
redirecting millions of cli.gs links to a story about Twitter
hashtags by blogger Kevin Sablan of the Orange County Register.
Sophos experts note that URL shortening services like TinyURL,
bit.ly and is.gd have increasingly become part of many computer
users' everyday lives with the surge in popularity of
micro-blogging websites like Twitter.
Sablan noticed the unexpected rise in traffic on Monday morning
and has subsequently blogged about the experience of having 2.2
million links temporarily pointing to his blog post. A statement on
the Cligs website suggests that a security vulnerability in its
edit functionality allowed a malicious hacker to change the
destination of millions of shortened URLs. The company also
admitted that it hasn't been getting daily backups since early
May.
"While Cligs is nowhere near as popular as the likes of TinyURL,
it is still used by a substantial number of people, so you can
imagine the disruption that can be caused if links no longer go
where they are supposed to," said Graham
Cluley, senior technology consultant at Sophos. "These services
are becoming indispensable with more and more people using Twitter
and needing to make their point in 140 characters or less, but this
is not the first time we have seen spammers and hackers abusing
these systems. While it's not clear what the intentions of the
fraudsters were in this case, they could have easily redirected
millions of shortened URLS to a website hosting malware. While
these services should be making their systems as secure as
possible, similar incidents are likely to happen again, and so it's
important that computer users don't automatically trust links on
websites like Twitter."
About Sophos
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.