URL shortening services such as TinyURL.com have been in existence for years. These services that are used for creating shorter versions of long URLs have been considered useful for a long time. Now that micro-blogging services such as Twitter are often used, and because some of these services enforce a limit of 140 characters per entry, URL shortening services are now considered more useful than ever. Users of micro-blogging services often need to make the links that they post as short as possible, and so even URLs that are not very long tend to be shortened in micro-blog posts. And while URL shortening services have always been useful, there are security risks associated with them. When URLs are converted to ones that would not reveal any information about the content of pages to which these shortened URLs direct users, the probability of users clicking on malicious links increases.
Reflected XSS attacks tend to be carried out by directing users to malicious URLs. When I look through the URLs on the list of reflected XSS vulnerabilities on XSSed.com, I find that many of these URLs are quite unwieldy, and contain text that may appear suspicious. It seems that a method for making URLs appear to be innocuous would be to display them in the form of URLs that would be output by URL shortening services. Also, Twitter has been used to spread an XSS worm before, and so URL shortening services could be used to launch XSS attacks via Twitter once again.
I am not the first to write about the security implications that these services have. There is a very good blog entry on this topic that can be viewed here. There are articles on how these services can be used in phishing attacks that can be viewed here and here. It is mentioned in each of these articles how revealing of the longer versions of shortened URLs can be done. However, many users may not take the time to verify where they would be taken when they go to one of these shortened URLs. Some might not want to take the time to visit a website such as LongURL to view the longer URL to which they would be redirected. And some might not use tools such as the Firefox extension for revealing URLs shortened by the service known as bit.ly. Many users simply prefer not to take the necessary amounts of time to prevent themselves from possibly going to a place on the web to which they would not want to be redirected.
It seems that when users are given a choice between security and convenience, they tend to choose the latter option. There must be a way for URL shortening services to be both secure and convenient. Until there are improved methods for determining whether or not shortened URLs are being used for malicious purposes, these URL shortening services will be used for attacks such as phishing and XSS attacks.