Re: TinyURL

["Joel R. Helgeson" <joel () helgeson com>]

Who cares about credit card numbers, I'm looking for privileged access to
sites.  Consider the following:

People use this service as an attempt to obfuscate the usernames and
passwords to protected websites and ftp servers that they email out.  I'm
finding a lot of urls that read like:
http://username:password () www protectedsite com/members
ftp://user:pass () ftp securedftp com/private/sourcecode

Looks like they wanted to get someone into their site, but didn't want to
actually 'give' the username and password out, so they tinyurl'ed it.

This means they've posted their username and password to the entire web!!

Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll
be warm for the rest of his life."
----- Original Message ----- 
From: "Troy" <th () zeno com>
To: <full-disclosure () lists netsys com>
Sent: Wednesday, October 29, 2003 1:57 PM
Subject: Re: [Full-disclosure] TinyURL


> On Wed, 29 Oct 2003 08:30:17 -0600, "David Klotz" <klotz () acm org> wrote:
>
> > I don't agree.  First, you shouldn't be using a service like this to
send
> > sensitive information in the first place, and if you are, you get what
you
> > deserve.  If I leave my bank account number in my mailbox so I'll know
where
> > to get it, I shouldn't blame the post office if someone comes along and
> > steals it.
>
> I agree with this. The problem is that the average user won't think
> about the security issues of using this service.
>
> > Second, the whole idea behind tinyurl is to take long, difficult to type
> > URLs and change them into something much easier.  In order for them to
> > generate a string that was long enough so that the chance of someone
> > randomly guessing another valid string is low, they would have to use a
> > string so long that it would only be marginally easier to type or send
than
> > the original URL it was designed to replace...
>
> I like the implementation at http://www.makeashorterlink.com much better.
> First, it doesn't blindly forward you to the new link so, if you're sent
> a link to porn, you have a chance to shut the window before you get
> obscene pictures plastered across your monitor for your entire office
> to see. Second, it's harder to "guess" valid URLs, since it assigns them
> more randomly.
>
> However, in the long run, I don't think it's a major security issue.
> You'd have to browse through thousands of guesses before you stumble
> across sensitive information. There are far easier ways of getting
> credit card numbers.
>
> Still, they should have a warning on their site. After all, curling
> irons have warnings not to insert them into any orifice. :)
>
> -- 
> Troy
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html