security and privacy implications of url shortening
play

Security and Privacy Implications of URL Shortening Services - PowerPoint PPT Presentation

Jun 26, 2023 •412 likes •743 views

Security and Privacy Implications of URL Shortening Services Alexander Neumann, Johannes Barnickel, Ulrike Meyer IT Security Research Group RWTH Aachen University Germany May 26th, 2011 Alexander Neumann, Johannes Barnickel, Ulrike Meyer

  1. Security and Privacy Implications of URL Shortening Services Alexander Neumann, Johannes Barnickel, Ulrike Meyer IT Security Research Group RWTH Aachen University Germany May 26th, 2011 Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 1

  2. Introduction • Alexander Neumann ◮ Computer science student, RWTH Aachen University, Germany ◮ Working as Penetration Tester for RedTeam Pentesting GmbH • Johannes Barnickel ◮ Research Advisor ◮ Ph.D. Student, IT Security Group, RWTH Aachen University Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 2

  3. Definitions • Short URL does not exceed 35 characters • Shortened URL belongs to a shortening service • Corner cases: ◮ Shortened URL but not short: http://urlshorteningservicefortwitter.com/4czyx ◮ Short URL but not shortened: http://www.google.de/search?q=IEEE Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 3

  4. The Problem • Long URLs tend to wrap (especially in mail) • Twitter is restricted to 140 characters • URLs in books should be short • User tracking and statistics • “Solution”: URL shortening services (USS) Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 4

  5. Technical Description 1. User posts long URL to service http://itsec.rwth-aachen.de/research 2. Service generates short URL http://nvg8.it/8b896c 3. Other user requests short URL 4. Server responds HTTP 301 or 302 5. Other user is redirected to long URL Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 5

  6. Downsides • Link destination is not transparent • Reachability of the service is not guaranteed • USS can silently stop working ⇒ All shortened URLs defunct • Request is delayed when connection to USS has high latency • Service might be hacked and redirect to malware • Service might be hostile and serve malware to vulnerable browsers • Secret URLs submitted to USS cannot be deleted • . . . Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 6

  7. Facts many users do not know • URL service accumulates click statistics and creates profiles of users • Short links might vanish after a few years • When the USS dies, all shortened URLs are dysfunctional • When the USS is hacked, links might point to other websites (malware, porn, violence, . . . ) • Short URLs can be enumerated ⇒ All submitted URLs are public(!) Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 7

  8. Research Objectives • Analyze risks for clients, servers, and privacy of users • Empirical studies: 1. Determine popular USS on Twitter 2. Analyze the use of USS in spam 3. Test for malicious services 4. Analyze user tracking abilities 5. Enumerate shortened URLs 6. Submit honeypot URLs to USS 7. Test latency and availability of popular USS Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 8

  9. Preliminaries: List of USS Sources: • Firefox add-on ShortenURL • List of USS on longurl.org (URL expansion service) • Lists of USS on several blogs • Hostnames of URLs in Spam E-Mails Leads to list of 610 USS (distinct host names), includes 527 general purpose USS. Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 9

  10. 0lv.ru clickmeter.com fwib.net kurl.nu nn.nf retwt.me snipurl.com twhub.com urlz.at 0rz.tw clickthru.ca get.sfu.ca kurzurl.net notifyurl.com rickroll.it snkr.me twip.us urlzen.com 1link.in cli.gs get- k.vu notlong.com r.im snurl.com twirl.at usat.ly 1url.com clk.my shorty.com l9k.net not.my ri.ms sokrati.ru twitclicks.com use.my 23o.net cl.lk get- lanjut.in n.pr riz.gd song.ly twitterpan.com u.to 2big.at cl.ly url.com lat.ms nsfw.in rmse.ru sp2.ro twitterurl.net vb.ly 2.gp clop.in gizmo.do liip.to nutshellurl.com rnk.me spedr.com twitterurl.org vdirect.com 2.ly coge.la gkurl.us liltext.com nvg8.it rnm.me sqrl.it twittu.ms v.gd 2su.de c-o.in gl.am lin.cr nxy.in rt.nu srnk.net twiturl.de vgn.am 2tu.us conta.cc go2cut.com lin.io nyti.ms rubyurl.com srs.li twtr.us vi.ly 2ya.com cort.as go2.me linkbee.com oboeyasui.com ru.ly starturl.com twurl.cc vl.am 2ze.us cot.ag go.9nl.com linkbun.ch oc1.us rurl.org sturly.com twurl.nl voizle.com voomr.com 301.to crks.me good.ly linkee.com odun.net rww.tw su.pr u28.de 301url.com crum.pl goo.gl linkl.ru omf.gd s4c.in surl.co.uk u6e.de vtc.es 307.to ctvr.us go.qb.by linkslice.com om.ly s7y.us surl.hu u76.org w3t.org 3.ly curio.us goshrink.com link.toolbot.com omoikane.net safe.mn ta.gd ub0.cc w55.de 4ms.me cut.im gourl.gr linxfix.com on.cnn.com sai.ly tbd.ly uforgot.me wapo.st 4sq.com cutt.us go.usa.gov liteurl.net on.mktw.net sdut.us t.co uik.in wapurl.co.uk 4url.cc cuturls.com gowat.ch liurl.cn ooqx.com services.digg.com tcrn.ch uiop.me webalias.com 5.gp daa.li g.ro.lt lnk.by orz.se sfu.ca tgr.me ulimit.com weturl.com 6url.com dai.ly gurl.es lnkd.in ow.ly shar.es tgr.ph ulu.lu w.hurl.ws 7.ly deadsmall.com gzurl.com lnk.gd o-x.fr sharetabs.com thesurl.com u.mavrev.com wipi.es 9mp.com decenturl.com hao.jp lnk.in parv.us shim.net thinfi.com unfake.it wp.me a2n.eu df9.net hex.io lnk.ly paulding.net shink.de thnlnk.com u.nu xaddr.com a.307.to dfl8.me hhvx.com lnk.ms pd.am shmyl.com tighturl.com updating.me xeeurl.com aa.cx digbig.com hiderefer.com lnk.nu pendek.in shorl.com timesurl.at ur1.ca xil.in abbrr.com digg.com hmm.ph lnk.sk pic.gd shortenurl.com tiniuri.com urizy.com xlurl.net abcurl.net digipills.com ho.io lnkurl.com piko.me shorterlink.com tini.us url360.me xr.com adf.ly disq.us hop.im ln-s.net ping.fm shorterlink.co.uk tinurl.mobi url4.eu xrl.in adjix.com dld.bz hosturl.com ln-s.ru pipes.yahoo.com short.ie tiny123.com url9.com xrl.us ad.vu dlvr.it hotredirect.com lookleap.com piurl.com shortio.com tinyarro.ws urlac.com x.se afx.cc dn.vc href.in low.cc pli.gs shortlinks.co.uk tiny.by url.ag xsm.us a.gd doiop.com hsblinks.com l.pr plumurl.com shortn.me tiny.cc urlao.com xs.to a.gg do.my htxt.it lru.jp plurl.me short.to tinylink.com url.az xurl.es aisr.us dopen.us hub.tm lt.tl p.ly shorturl.com tinylink.in urlbee.com xurl.jp all.fuseurl.com durl.me huff.to lurl.no pnt.me shorturl.de tiny.ly urlbit.us x.vu alturl.com durl.us hulu.com macte.ch politi.co shoturl.us tiny.pl urlborg.com xxsurl.de amzn.to dwarfurl.com hurl.it makeashorterlink.com poprl.com shout.to tinypl.us urlbrief.com y.ahoo.it a.nf dy.fi hurl.me makeitbrief.com post.ly show.my tinyuri.ca urlcorta.es yatuc.com

  11. Results Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 11

  12. Determine Popular USS on Twitter • Base: Two samples of Twitter messages (24 hours each, max 10 %) • Results: ◮ 7.5 million / 8.7 million messages ◮ 1.2 million / 1.1 million URLs ◮ 553,320 / 431,636 shortened URLs • Top ten services (cover 96% of all USS on Twitter): 1. bit.ly / j.mp 6. dlvr.it 2. t.co 7. is.gd 3. tinyurl.com 8. migre.me 4. goo.gl 9. dld.bz 5. ow.ly 10. lnk.ms Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 12

  13. Top ten services 600,000 100% Rest Top 9 Proportion of shortened URLs bit.ly Number of shortened URLs 500,000 80% 400,000 60% 300,000 40% 200,000 20% 100,000 0 0% Sample 1 Sample 2 Sample 1 Sample 2 Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 13

  14. USS in Spam • Spam e-mails from SCHNUCKI project • 7.9 million e-mails collected since 2003 • 12.8 million URLs, 0.3 % shortened URLs • Query shortened URLs and analyze response code • Calculate spam detection rate for relevant services Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 14

  15. Spam detection rate of USS 100% 80% 60% 40% 20% 0% is.gd tinyurl.com snipurl.com bit.ly moourl.com su.pr migre.me tiny.cc redir.ec urlpass.com Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 15

  16. Malicious USS Attack scenario: Setup a fast and attractive USS, serve all requests normally, but after a while start sending vulnerable browsers to malware sites. Analysis: • Query shortened URLs seen on Twitter for 187 different USS with 83 different User-Agent strings • Analyze HTTP response Location header • Result: No malicious behaviour found • But: One service handles browsers different Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 16

  17. User-Tracking USS • Data from previous experiment • Analyze HTTP response Set-Cookie header • Results: ◮ 65 USS set cookies ◮ 38 USS set persistent cookies ◮ 28 USS set persistent cookies with validity period 6 months or more • Define Q as quotient: #all unique values received for the cookie #all values Alexander Neumann, Johannes Barnickel, Ulrike Meyer RWTH Aachen University 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Shortening the Conceptual Gap Shortening the Conceptual Gap Edsger Dijkstra in his 1968 paper Go

Shortening the Conceptual Gap Shortening the Conceptual Gap Edsger Dijkstra in his 1968 paper Go

Shortening the Conceptual Gap Shortening the Conceptual Gap Edsger Dijkstra in his 1968 paper Go To Statement Considered Harmful states that: we should [] do our utmost to shorten the conceptual gap between the static program and the

724 views • 33 slides
Privacy Implications of Privacy Settings and Tagging in Facebook Stan Damen, Nicola Zannone

Privacy Implications of Privacy Settings and Tagging in Facebook Stan Damen, Nicola Zannone

Privacy Implications of Privacy Settings and Tagging in Facebook 1 Privacy Implications of Privacy Settings and Tagging in Facebook Stan Damen, Nicola Zannone Eindhoven University of Technology 10th VLDB Workshop on Secure Data Management

476 views • 19 slides
CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security

CS573 Data Privacy and Security Data Privacy and Security in Healthcare Data Privacy and Security in Healthcare Li Xiong Healthcare security and privacy HIPAA overview Research survey on information security and privacy in healthcare

1.05k views • 57 slides
Direct-to-Consumer Neurotechnology: Privacy Implications Deven McGraw, JD, MPH, LLM Partner

Direct-to-Consumer Neurotechnology: Privacy Implications Deven McGraw, JD, MPH, LLM Partner

Direct-to-Consumer Neurotechnology: Privacy Implications Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP August 20, 2014 Why do we care about privacy? 1 Without privacy protections, people will engage in privacy-

577 views • 8 slides
Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B.

5/18/2016 Security and Privacy 12A. Operating Systems Security Operating Systems Principles 12B. Authentication 12C. Authorization Security and Privacy 12D. Trust 12E. At-Rest Encryption Mark Kampe (markk@cs.ucla.edu) Security and Privacy

116 views • 8 slides
Privacy Implications of Social Networks Gates Scholars' Symposium 1 March 2009 Joseph Bonneau

Privacy Implications of Social Networks Gates Scholars' Symposium 1 March 2009 Joseph Bonneau

Privacy Implications of Social Networks Gates Scholars' Symposium 1 March 2009 Joseph Bonneau Security Research Group Computer Laboratory Outline Why Privacy Matters How Social Networks Change The Game The Current Mess

495 views • 46 slides
SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY

SECURITY, ADVERSARIAL SECURITY, ADVERSARIAL LEARNING, AND PRIVACY LEARNING, AND PRIVACY Christian Kaestner with slides from Eunsuk Kang Required reading: Hulten, Geoff. "Building Intelligent Systems: A Guide to Machine Learning

1.95k views • 113 slides
S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Security and Privacy for Payment Channel Networks Pedro Moreno-Sanchez Blockchain Summer School BDLT19 Vienna, Sep 2nd 2019 Blockchain Research

1.41k views • 73 slides
Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous,

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous,

Privacy Enhancing Technologies 2003 An Analysis of GNUnet and the Implications for Anonymous, Censorship-Resistant Networks Dennis Kgler Federal Office for Information Security, Germany Dennis.Kuegler@bsi.bund.de 1 Anonymous,

488 views • 16 slides
Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much

Be,er Privacy and Security via Secure Computa9on Jonathan Katz Security/privacy would be much easier if there were someone we could all TRUST with our data Be8er data mining -- using MORE data, while respec@ng users PRIVACY

888 views • 35 slides
Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

CS 563 - Advanced Computer Security: Web Privacy Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Administrative Learning Objectives : Consider the difference between security and privacy Discuss work

814 views • 43 slides
Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data

Privacy & Security Matters: Privacy & Security Matters: Protecting Personal Data Protecting Personal Data Privacy & Security Project HIPAA: What it is Health Insurance Portability and Accountability Act of 1996 Also known as

445 views • 26 slides
Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned

Healthcare privacy and security Li Xiong CS573 Data Privacy and Security Patients Are Concerned Did you know... 77 percent of all Americans feel their personal health information privacy is very important, and 84 percent said they

769 views • 50 slides
How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and

How Badly Broken is Privacy Legislation? And what can we do to fix it? 17th Annual Privacy and Security Conference Privacy and Security by Choice, not Chance Afternoon Workshop Wednesday February 3, 2016 Victoria, B.C. Canada Gerry Bliss

1.11k views • 63 slides
CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local

CS573 Data Privacy and Security Local Differential Privacy Li Xiong Privacy at Scale: Local Differential Privacy in Practice (Module 1) Graham Cormode, Somesh Jha, Tejas Kulkarni, Ninghui Li, Divesh Srivastava, and Tianhao Wang Differential

819 views • 38 slides
Privacy in Ubiquitous Computing Options, Trends, and Implications of Smart Objects Marc

Privacy in Ubiquitous Computing Options, Trends, and Implications of Smart Objects Marc

Privacy in Ubiquitous Computing Options, Trends, and Implications of Smart Objects Marc Langheinrich Institut fr Pervasive Computing ETH Zrich Februar 11. 2006 ZiF-Workshop: Privacy and 1 Surveillance Technologies Privacy in Ubiquitous

573 views • 32 slides
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Introduction Previous work Our contribution Conclusion Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS

864 views • 60 slides
LDPC Error Floor Prediction using Trapping Set aware Code Shortening D. Declercq, B.

LDPC Error Floor Prediction using Trapping Set aware Code Shortening D. Declercq, B.

LDPC Error Floor Prediction using Trapping Set aware Code Shortening D. Declercq, B. Vasic, B. Reynwar, V. Yella, S. Planjery March 2019

429 views • 27 slides
DESIGNING & PROVIDING FEEDBACK ON WRITTEN ASSIGNMENTS EMILY CARRS PEDAGOGY

DESIGNING & PROVIDING FEEDBACK ON WRITTEN ASSIGNMENTS EMILY CARRS PEDAGOGY

DESIGNING & PROVIDING FEEDBACK ON WRITTEN ASSIGNMENTS EMILY CARRS PEDAGOGY BLOG h2p://blogs.eciad.ca/pedagogy/ DESIGNING ASSIGNMENTS TO INFLUENCE HOW AND WHAT STUDENTS WRITE THREE POINTS TO TAKE

515 views • 27 slides
Introduction to Optimization Abhilasha Gupta and Mahesh Barve IIT GOA April 3, 2019 1 Outline

Introduction to Optimization Abhilasha Gupta and Mahesh Barve IIT GOA April 3, 2019 1 Outline

Introduction to Optimization Abhilasha Gupta and Mahesh Barve IIT GOA April 3, 2019 1 Outline 1 Introduction to Optimization 2 What is Convex Optimization? 3 Global/ Local Minima/Maxima 4 Convex Set 5 Example: Hyperplane/Halfspace 6 Convex

695 views • 24 slides
Brevity (or, Causal Effects of Brevity on Style and Success in Social Media, if youre not into

Brevity (or, Causal Effects of Brevity on Style and Success in Social Media, if youre not into

Brevity (or, Causal Effects of Brevity on Style and Success in Social Media, if youre not into the whole brevity thing) Kristina Gligoric Ashton Anderson Robert West EPFL University of Toronto EPFL How your message is received

1.01k views • 25 slides
CLIC Beam Delivery System R. Toms Thanks to H. Braun, A. Latina, J. Resta and D. Schulte

CLIC Beam Delivery System R. Toms Thanks to H. Braun, A. Latina, J. Resta and D. Schulte

CLIC Beam Delivery System R. Toms Thanks to H. Braun, A. Latina, J. Resta and D. Schulte April 2007 Rogelio Tom as Garc a CLIC Beam Delivery System p.1/18 Contents Status of the CLIC

462 views • 18 slides
Leveraging Lock Contention to Improve Transaction Applications Cong Yan Alvin Cheung

Leveraging Lock Contention to Improve Transaction Applications Cong Yan Alvin Cheung

Leveraging Lock Contention to Improve Transaction Applications Cong Yan Alvin Cheung University of Washington 1 Background Database transactions Airline ticket reservation, banking, online shopping... 2 Background Database

656 views • 41 slides
Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and

Direct Construction of Recursive MDS Diffusion Layers using Shortened BCH Codes Daniel Augot and Matthieu Finiasz Context Diffusion layers in a block cipher/SPN should: obviously, offer good diffusion, have a large branch number , be

381 views • 21 slides

More recommend