Don’t get bit: URL-shortening service flagged as malware

Tips & tricks
3 mins
Bitly links flagged as Malware.

If you can’t trust Bitly, who can you trust? Citizens of the web found themselves stymied last week when Google Chrome and Firefox began blocking access to these popular links, claiming that “attackers currently on bit.ly might attempt to install dangerous programmes on your device that steal or delete information”. This is a problem, since most of the Twitterverse relies on the service to reliably shorten links, and it’s often tapped as a reputable way for companies to slim down corporate URLs — seeing “.ly” gives users a measure of confidence in their click. Is that confidence misplaced?

Small Link, Big Problem

According to Bitly’s website, they’ve shortened over 19 billion links in total and process 80 million requests per day. So it came as a surprise when Firefox and Chrome browsers suddenly tossed up a malware warning and told users to stop and give their heads a shake. Stranger still? According to The Next Web, Safari and Internet Explorer weren’t affected by the outage.

Google claims that Bitly was listed for suspicious activity 31 times over the last 90 days, and that in the last three months “669 pages resulted in malicious software being downloaded and installed without user consent.” This from a total of over 91000 pages tested, which works out to less than 1 percent. Concerning, sure, but enough to slam the gates closed on all bit.ly links across the board?

The URL shortening service was quick to Tweet awareness of the issue, and switched over to using bitly.com while bit.ly was out of commission. They also noted that all other services offered were working without issue — only the free-to-use, seen-everywhere .ly link was causing problems. They point the finger at Google’s SafeBrowsing service and says no data or links were ever compromised.

Bit the Bullet

Were Bitly links malware-laden, or not? The definitive answer is maybe. While it’s tempting to assume this was just jockeying by Google for some kind of greater Web control, it’s clear at least some of the links created by users weren’t above board. Bitly does use data from independent sources such as Sophos, Websense and VeriSign to help evaluate the trustworthiness of Bitlinks before they’re created, but it’s not all that difficult for malicious actors to slip in malware that won’t be detected by cursory scans. And sure, you can add a “+” to the end of a Bitly link and get a preview page but most users don’t bother.

It’s also worth noting that Bitly itself was compromised back in May — attackers had access to usernames, passwords and the company’s source code after an employee account was hacked. Upon discovering the breach, all user login credentials were reset and the company enabled two-factor authentication, but the point was made: even link shortening sites are attractive hacker targets. It’s not hard to imagine why. If malicious actors gain access to a company’s Bitly account, they could start posting shortened links laden with redirects to malware. User familiarity with the hacked company and Bitly’s service makes these Bitlinks the perfect carriers: here, security is assumed rather than tested.

Call of the Click

Users love clicking on links — ff websites make claims, we want evidence. If news events happen, we want video. Bitly tapped into this siren call of clicking and created a simple service that provides URL shortening with a consistent format, in turn giving users confidence about whatever lies beyond the link. And while Google might have been overzealous in blocking access to bit.ly links thanks to low volume attack reports, the lesson remains: do you really know what’s past that click? Is it safe, just because it has a “.ly”?

Maybe. But there’s also a chance that you’re headed to a duped page or prompt to download “critical” software updates.

Surf smart: check your links with something like the URL Unshortener before opening. If in doubt, don’t click!

ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.