Some time ago there was considerable concern in the security community over shortened link sites. The first one I remember was tinyurl.com, these sites allow you to enter a long URL and they provide you a shorter URL that will redirect to the site with the URL you provided them. With the increase in the use of Twitter and SMS which limit the number of characters in a message these services have become more common and easier to use.
The security concern with these is the recipient can’t see where the link goes before they click on it. For years education efforts have educated people how to determine where a link actually pointed. With these shortened URL’s it’ impossible to tell where they lead the only precaution possible is to trust the person sending you the link. With the number of people sharing links on Twitter it’s very difficult to determine which senders are trustworthy and which are not.
To alleviate some of this risk the US Federal Government started their own service to allow anyone to shorten links ending in .gov. This service produced a link that also ended in .gov, users could trust the link because only .gov sites would receive these shortened links. This was a relatively quick fix to provide a higher level of trust to shorted links. Unfortunately the fix wasn’t completely thought through and has itself been abused.
Some web sites are vulnerable to an attack called Open Redirect. The reason sites are vulnerable is because they accept a parameter from the web client and redirect the client to another site determined by that parameter. On the surface this sounds reasonable because no client would pass a parameter for a site they didn’t want to visit. The issue is that an attacker can present a user with the link and parameter that appears valid but takes the user to a malicious web site. This vulnerability wasn’t considered when the gov link shortening service was designed.
Since some .gov sites are vulnerable to the Open Redirect and no authentication is required to generate the shortened URL Attackers have realized they can use the .gov short links to redirect the user, twice actually, to their malicious sites. These sites currently aren’t installing malware or committing any other covert actions, they simply use the trust of the gov links and the promise of work from home opportunities to phish personal information from users.
When implementing any solution one of the steps should be to brainstorm how the solution could be abused and identify solutions to the most likely abuses. With a little extra effort the .gov shortening website could have the added capability to scan the long URL and verify it wasn’t vulnerable to the Open Redirect before generating the short link. This solution could still be implemented now but a number of users have already been impacted and trust in the short link service has already been damaged.