Cligs URL Shortening Service Hacked, Users Redirected

Orange County Register

The Cligs hack, which was detected by researchers at SophosLabs over the weekend, edited approximately 2.2 million Cligs URLs and redirected requests to a story about Twitter hashtags by Orange County Register blogger Kevin Sablan.

Sablan noticed the unexpected rise in traffic on Monday morning, and responded to a message from a redirected victim.

However, the Cligs hack has security researchers puzzled.

"When we first realized the URL shortening got meddled with, we assumed it pointed to a spam site," said Graham Cluley, senior technology consultant for SophosLabs. "Why else would you redirect these URLs?"

id
unit-1659132512259
type
Sponsored post

Cluley said that one of the theories explaining the odd redirect was that the hacker rerouted users to the harmless OC Register Web site by mistake.

"It just seems a very strange place to point people. If it was a joke, wouldn't you send people to 'Playboy' or something like that?" Cluley said. "My only guess is something went wrong."

With the upsurge of microblogging sites such as Twitter, URL-shortening services have likewise experienced an uptick in popularity.The service, which acts like a sort of shorthand for URLs, allows users to take long Web addresses and significantly reduce their length to something that's 140 characters or less.

While Cligs was recently ranked as the fourth most popular URL shortening service in Twitter, Cluley said the service only has single-digit market share. Sites such as TinyURL and Bitly comprise a significantly larger share of the URL-shortening market.

Meanwhile, Sablan, who is not believed to be involved in the hack, said in a blog that he caught on to the redirect when his Twitter story drew copious amounts of Web traffic from mysterious sources.

"By 7 p.m. Monday, though, a page-view counter at The Register showed the post drawing more than 12,000 clicks -- from an unsuspecting audience around the globe!" Sablan wrote in his posting.

Cligs reassured users in a company blog post that no passwords were exposed during the hack. "They are stored encrypted and were never at risk in this attack," the Cligs posting said.

The attack, which appears to have originated from Canada, edited most of Cligs' URLs to point to a single URL hosted on freedomblogging.com, Cligs said.

Cligs executives said that the company had patched the security hole and was currently importing all of its URL data into a new database, which is scheduled to be up and running some time this weekend. All affected URLs are subsequently being corrected.

Cligs added, however, that its most recent backup occurred in early May, and the 161,000 URLs created since then have subsequently been lost.

"That's only 7 percent of the affected URLs. Not bad, all things considered," the Cligs posting said.

New URLs were not affected by the hack, the company added.

But despite the inconvenience and possible loss of tens of thousands of URLs, security experts said that the attack could have been much worse. "It's not yet apparent what the intentions were of the hackers, but they could have just as easily redirected millions of shortened URLS to a Web-site hosting malware," Cluley said in a blog post.

To avoid falling victim to similar attacks in the future, Cluley recommended that users install a plug-in tool to convert short URLs into their original length, which would help determine the link's source. In addition, Cluley advised users to be wary of suspicious or unsolicited links, even if they appear to come from someone the victim knows.

"When someone sees a link in an e-mail, their mouse finger begins to twitch," Cluley said. "That's why spam exists and so much malware as well."