Popular short URL service hacked and millions redirected

June 16, 2009 Sophos Press Release

IT security and control firm Sophos is advising computer users to be wary of shortened URLs and to consider running a plug-in that will expand links before clicking on them. The warning follows news that Cligs, recently ranked as the fourth most popular URL shortening service on Twitter, has been hacked and on Sunday was redirecting millions of cli.gs links to a story about Twitter hashtags by blogger Kevin Sablan of the Orange County Register.

Sophos experts note that URL shortening services like TinyURL, bit.ly and is.gd have increasingly become part of many computer users' everyday lives with the surge in popularity of micro-blogging websites like Twitter.

Sablan noticed the unexpected rise in traffic on Monday morning and has subsequently blogged about the experience of having 2.2 million links temporarily pointing to his blog post. A statement on the Cligs website suggests that a security vulnerability in its edit functionality allowed a malicious hacker to change the destination of millions of shortened URLs. The company also admitted that it hasn't been getting daily backups since early May.

Cligs statement about hacking

"While Cligs is nowhere near as popular as the likes of TinyURL, it is still used by a substantial number of people, so you can imagine the disruption that can be caused if links no longer go where they are supposed to," said Graham Cluley, senior technology consultant at Sophos. "These services are becoming indispensable with more and more people using Twitter and needing to make their point in 140 characters or less, but this is not the first time we have seen spammers and hackers abusing these systems. While it's not clear what the intentions of the fraudsters were in this case, they could have easily redirected millions of shortened URLS to a website hosting malware. While these services should be making their systems as secure as possible, similar incidents are likely to happen again, and so it's important that computer users don't automatically trust links on websites like Twitter."