Sunday, September 25, 2011

Distributed Attacks Using URL Shorteners and News Aggregators

[Obligatory Warning: The information below is merely a speculative issue. I am not suggesting its use on any site. It is, however, something to watch for.]

I was talking with some people in a group the other day, and our conversation turned towards the prevalence of news aggregation sites like Reddit, Digg, and others. Stories that are submitted to those sites are seen by hundreds of people, if not thousands, often within minutes of submission. Now you're probably wondering what this has to do with security.

Think about some of the attacks that have occurred recently. They've often originated with a SQL or perhaps a persistent JavaScript injection. There are a lot of attacks that can occur entirely from the URL bar, just by injecting additional information into the URL. This is bad because anyone can 'click' a URL.

Now back to news aggregators. When you submit a link to those sites, you can chose a title, add the URL, and then it is instantly visible to many users of that site. The point of these sites is that news-worthy links and important information gets "voted" to the top and that meaningless data is sent to the bottom. However, in order to be sent to the bottom, some people will have to click and rate the submitted site. This is where we bring in the malicious URL from before. If the URL with injection code is passed through a single or multiple URL shorteners, there is no way for the user of the aggregation site to know what is behind the link.

The entire point of this concept is to distribute a hacking attack. If an attacker is trying to attack a site through a form of injection, he or she can simply craft a ton of malicious links, submit them to these aggregation services from behind a proxy, and have some innocent user click them for him or her. It's effectively having others hack a site for them because when the site checks its logs, it'll see multiple IP addresses from users of the aggregation service.

Is this a big concern? Not really. But it's an interesting possibility that site admins and security professionals need to watch for on their own sites.

No comments:

Post a Comment