Hacked URL service puts users at risk

Surfers are being warned not to click on shortened URLs on sites such as Twitter, after it emerged that a major URL shortening service was hacked at the weekend.

Services provided by firms such as TinyURL, Bit.ly and Cligs have become increasingly popular, as they allow URLs to be displayed in a more succinct form.

However, Cligs, which is seen as the fourth most popular shortening service, suffered a hacking incident in which more than two million URLs were apparently changed to a single URL, directing users to a story about Twitter hashtags by blogger Kevin Sablan of the Orange County Register.

The firm said in a posting on the Cligs blog that a "security hole in the Cligs editing functionality" was to blame for the attack, which came from an IP address in Canada.

"Most important thing: your passwords are safe. They are stored encrypted and were never at risk in this attack," said the firm.

However, Graham Cluley, senior technology consultant at Sophos, warned that the incident could have been much worse.

"It is not yet apparent what the hackers' intentions were, but they could just as easily have redirected millions of shortened URLs to a website hosting malware," he wrote in a blog post.

"That is one of the reasons why it can be helpful to run a plug-in that will expand shortened URLs before you click on them."

Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, said that such services will be an attractive target for hackers as it gives them access to numerous URLs.

"I abandoned the URL shortening services on all of the social networks I'm on some time ago," he said. "If you strip out the http:// portion, such sites will no longer convert them into shortened URLs automatically. It's certainly less convenient, but at least the reader knows where I'm pointing to."