Need more proof that URL shortening services are bad for web stability and security? Look no further than d0z.me, a ‘proof-of-concept’ shortener that does a fine job at redirecting people from the shortened links to the destination pages — except everyone who clicks on a link is an unknowing participant in a DDoS [distributed denial of service] attack on another site’s server.
TechCrunch’s Alexia Tsotsis explains just how nefarious d0z.me is: “When users click on the link, they are redirected to the requested site with the addition of a invisible iFrame that unleashes a LOIC-canon like Javascript DoS that runs while the user is browsing. The malevolent script runs for as long as a user continues browsing from a page and is even more potent when run from an HTML5 browser.” It’s worth emphasizing that the people who are clicking the links aren’t affected at all: Though they’re participating in an attack, their computer and web performance remain unaffected, and not a single bit of malicious software is installed.
Ben Schmidt, who created d0z.me, emphasizes that he made the service to prove a point and not to facilitate mischief-making: “It was created solely as an example of the serious consequences of the Internet’s increased reliance upon URL shortners, as well as how easy it is to create an unwitting DDoS botnet without actually exploiting a single computer. If you target a site that is not yours, you are responsible for the consequences.”
(via TechCrunch)
