Cenzic 232 Patent
Paid Advertising
web application security lab

TinyURL Blacklists Imagecrash

id sent me this link today and it appears TinyURL has blacklisted Imagecrash. I suppose too many people have been duped by the tinyURL version of the page (not by me, but probably by people who thought it was funny to crash their best friend’s machines). This is actually the first time I’ve heard of TinyURL doing anything about the abuse. Not that it would stop much, as they could bounce the TinyURL off any other form of redirection and it’s extremely easy to build your own imagecrash page.

It’s nice to see them handling abuse, but like I said, it wouldn’t stop much. Ultimately I think TinyURL does provide a useful service, as do lots of types of redirection, but this clearly articulates that you can’t do so blindly, and there’s really no way you can know the intention of a URL until you go there - making blind redirection a risk to your consumers. TinyURL is in a slightly different boat where they have to know the URL ahead of time but that doesn’t buy you much. Blacklisting doesn’t help much either, as we’ve seen before, but it does help solve immediate problems (like redirection to one particular phishing site for instance - until the phishers build another one). Ultimately, I’m still in the camp that redirection is a bad idea.

4 Responses to “TinyURL Blacklists Imagecrash”

  1. maluc Says:

    It’s also just a manual blacklist for that specific link .-. .. maybe because someone complained to tinyurl. http://tinyurl.com/lt2ml however works fine, which is just http://ha.ckers.org/imagecrash.html?

  2. RSnake Says:

    Thank you, Maluc, you exactly proved my point. It’s too bad, I really do think it’s a useful service. It just so happens to be dangerous to it’s consumers too.

  3. Edward Z. Yang Says:

    Wikimedia has long blocked tinyurl (and all variants thereof) links from their websites for this precise reason. There’s a list of them at http://meta.wikimedia.org/wiki/Spam_blacklist under “URL Shorteners”

  4. hjoo Says:

    an alternative http://www.atomurl.com