Full Disclosure mailing list archives
Re: TinyURL
From: "Joel R. Helgeson" <joel () helgeson com>
Date: Wed, 29 Oct 2003 14:44:12 -0700
Who cares about credit card numbers, I'm looking for privileged access to sites. Consider the following: People use this service as an attempt to obfuscate the usernames and passwords to protected websites and ftp servers that they email out. I'm finding a lot of urls that read like: http://username:password () www protectedsite com/members ftp://user:pass () ftp securedftp com/private/sourcecode Looks like they wanted to get someone into their site, but didn't want to actually 'give' the username and password out, so they tinyurl'ed it. This means they've posted their username and password to the entire web!! Joel R. Helgeson Director of Networking & Security Services SymetriQ Corporation "Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." ----- Original Message ----- From: "Troy" <th () zeno com> To: <full-disclosure () lists netsys com> Sent: Wednesday, October 29, 2003 1:57 PM Subject: Re: [Full-disclosure] TinyURL
On Wed, 29 Oct 2003 08:30:17 -0600, "David Klotz" <klotz () acm org> wrote:I don't agree. First, you shouldn't be using a service like this to
send
sensitive information in the first place, and if you are, you get what
you
deserve. If I leave my bank account number in my mailbox so I'll know
where
to get it, I shouldn't blame the post office if someone comes along and steals it.I agree with this. The problem is that the average user won't think about the security issues of using this service.Second, the whole idea behind tinyurl is to take long, difficult to type URLs and change them into something much easier. In order for them to generate a string that was long enough so that the chance of someone randomly guessing another valid string is low, they would have to use a string so long that it would only be marginally easier to type or send
than
the original URL it was designed to replace...I like the implementation at http://www.makeashorterlink.com much better. First, it doesn't blindly forward you to the new link so, if you're sent a link to porn, you have a chance to shut the window before you get obscene pictures plastered across your monitor for your entire office to see. Second, it's harder to "guess" valid URLs, since it assigns them more randomly. However, in the long run, I don't think it's a major security issue. You'd have to browse through thousands of guesses before you stumble across sensitive information. There are far easier ways of getting credit card numbers. Still, they should have a warning on their site. After all, curling irons have warnings not to insert them into any orifice. :) -- Troy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- TinyURL Joel R. Helgeson (Oct 29)
- Re: TinyURL Thomas Springer (Oct 29)
- Re: TinyURL Kenton Smith (Oct 29)
- RE: TinyURL Ricky Blaikie (Oct 29)
- Re: TinyURL Joel R. Helgeson (Oct 29)
- Re: TinyURL Martin Schuster (Oct 30)
- Re: TinyURL Josh (Oct 30)
- <Possible follow-ups>
- RE: TinyURL David Klotz (Oct 29)
- Re: TinyURL Troy (Oct 29)
- Re: TinyURL Joel R. Helgeson (Oct 29)
- Re: TinyURL Troy (Oct 29)
- Re: TinyURL Helge Oldach (Oct 29)
- Re: TinyURL Troy (Oct 29)
- RE: TinyURL Bassett, Mark (Oct 29)
- Re: TinyURL John Sage (Oct 29)
- Re: TinyURL Jimmy Alderson (Oct 29)
- Re: TinyURL John Sage (Oct 29)
- Re: TinyURL John Sage (Oct 29)
- RE: TinyURL Steffen Kluge (Oct 30)
- TinyURL Dennis Cooper (Oct 29)
- Re: TinyURL Joel R. Helgeson (Oct 29)