Cligs short url service hacked, millions redirected

by Graham Cluley on June 16, 2009 | Comments Off

Filed Under: Social networks, Spam

Cligs logo
URL shortening services like TinyURL, bit.ly and is.gd have increasingly become part of many computer users' everyday lives in the last year or so, with the surge in popularity of micro-blogging websites like Twitter.

The services allow you to shorten a long url like

http://sophosnews.files.wordpress.com/2009/06/cligs-spam.jpggc/g/2009/02/18/neat-add-on-twitter/

to something much snappier like

http://tinyurl.com/c27gqd.

That's important if you need to make your point in 140 characters or less.

On Sunday, one such URL shortening service, Cligs, was hacked redirecting millions of cli.gs links to a story about Twitter hashtags by blogger Kevin Sablan of the Orange County Register (hosted at freedomblogging.com).

Sablan noticed the unexpected rise in traffic on Monday morning, and responded to a message from a redirected internet user:

Blogger Kevin Sablan comments on his blog about his unexpected traffic

Subsequently, Sablan (who is not believed to have been involved in the hack) blogged about the experience of having 2.2 million links temporarily pointing at his blog post.

Cligs was recently ranked as the fourth most popular URL shortening service on Twitter. Although its popularity is dwarfed by the likes of bit.ly and tinyurl it is still being used by a substantial number of people - so you can imagine the disruption that can be caused if links no longer go where they were intended.

A statement on the Cligs website suggests that a security vulnerability in its edit functionality allowed a malicious hacker to change the destination of millions of shortened urls.

Statement from Cligs about hack

Cligs's disaster recovery plan is hampered somewhat by the admission that it hasn't been getting daily backups since early May. Whoops.

It's clear, though, that this hack could have been much worse. It's not yet apparent what the intentions were of the hackers, but they could have just as easily redirected millions of shortened urls to a website hosting malware. That's one of the reasons why it can be helpful to run a plug-in that will expand shortened urls before you click on them.

As an aside, we frequently see spammers abusing shortened url services to try and make life harder for anti-spam filters trying to determine if a link is going somewhere unsavoury.

Here's an example of a spam campaign we saw today which uses a Cligs shortened url to try to sell bulk-mailing software:

Spam email using Cligs shortened url

Tags: , , ,

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.