Cligs, a popular URL shortening service for Twitter users, was hacked recently in an attack that exploited a security hole to redirect 2.2 million URLs.
“Late last night/early this morning, a security hole in the Cligs editing functionality was discovered and was exploited by a malicious attacker,” according to a June 15 statement on the Cligs’ Website. “The attack edited most URLs on Cligs to point to a single URL hosted on freedomblogging.com.”
For Twitter users, URL shortening services such as TinyURL and Cligs have become a staple because they allow users to Tweet long Web addresses and stay within the character limit imposed on messages. Such services, however, have attracted the attention of security researchers and attackers alike.
Sophos raised the alarm over a phishing scam late last month that used a TinyURL link to lure users to a rogue site.
“It’s not yet apparent what the intentions were of the hackers [in the Cligs case], but they could have just as easily redirected millions of shortened urls to a Website hosting malware,” blogged Graham Cluley, senior technology consultant at Sophos. “That’s one of the reasons why it can be helpful to run a plug-in that will expand shortened urls before you click on them.”
“As an aside, we frequently see spammers abusing shortened url services to try and make life harder for anti-spam filters trying to determine if a link is going somewhere unsavoury,” he added.
According to Cligs, the attacker’s IP address appears to have come from Canada. The company identified the security hole yesterday and began the process of restoring the URLs back to their original destinations. However, the company admitted that its most recent backup is from early May, so all URLs created since then may be lost.