Skip to main content Nefarious URL Shortener Makes Link-Clickers into Unwitting DDoS Attackers

Need more proof that URL shortening services are bad for web stability and security? Look no further than, a ‘proof-of-concept’ shortener that does a fine job at redirecting people from the shortened links to the destination pages — except everyone who clicks on a link is an unknowing participant in a DDoS [distributed denial of service] attack on another site’s server.

TechCrunch’s Alexia Tsotsis explains just how nefarious is: “When users click on the link, they are redirected to the requested site with the addition of a invisible iFrame that unleashes a LOIC-canon like Javascript DoS that runs while the user is browsing. The malevolent script runs for as long as a user continues browsing from a page and is even more potent when run from an HTML5 browser.” It’s worth emphasizing that the people who are clicking the links aren’t affected at all: Though they’re participating in an attack, their computer and web performance remain unaffected, and not a single bit of malicious software is installed.

Ben Schmidt, who created, emphasizes that he made the service to prove a point and not to facilitate mischief-making: “It was created solely as an example of the serious consequences of the Internet’s increased reliance upon URL shortners, as well as how easy it is to create an unwitting DDoS botnet without actually exploiting a single computer. If you target a site that is not yours, you are responsible for the consequences.”

(via TechCrunch)

Have a tip we should know? [email protected]

Filed Under:

Follow The Mary Sue: