Despite security researchers citing the dangers of using URL shorteners, they’ve proliferated online. Twitter pretty much requires them because of its 140-character limit, and major sites like Google (goo.gl), New York Times (nyt.ms), New Yorker (nyr.lr) and LA Times (lat.ms) have popularized their own sites, too.
It’s getting to the point where people (send) e-mail shortened links to each other, making security researchers’ recommendations about not clicking on “strange” links instantly moot.
Enter Ben Schmidt, a computer science student at the University of Tulsa, who thinks people are “over-reliant” on URL shorteners. He created D0z.me, a “proof-of-concept” URL shortener that generates a denial of service attack on a a server while re-routing links.
The way the script is written, the resulting DDOS attack is even more potent when run from an HTML5 browser.
Imagine this – a link appears that purports to be a funny YouTube video. The video is funny enough, that the user forwards it on to the next person, who sends it on again. And each time a person clicks on that link, some other site somewhere is getting DDOSed, and these people are inadvertently taking part and increasing the size of the attack.
Schmidt emphasizes that he made the service to prove a point and not to facilitate mischief-making, writing on his blog, “If you target a site that is not yours, you are responsible for the consequences.”
There was a time when distributed denial of service attacks were something that required a lot of hacking know-how and technical skills. It’s a little scary to think of the havoc that can be wreaked by click-happy individuals using these tools.
If someone posts a D0z.me link, don’t click on it!