As as spend more time using twitter, I understand the need for shortened URL’s and make heavy use of them. But, when I am viewing a tweet I always hesitate before clicking on those links knowing that they could be easily used to hide some sort of XSS or SQL Injection payload in the redirect.
It would be a great way to target accounts of twitter followers to even attack Intranet sites as well as public facing sites. Maybe some good proof of concept hacks will need to be created to demonstrate. Will leave that for another day.
I am sure some of these link shortening providers have put some effort into blocking XSS payloads from the URL’s they shorten, but its easy enough to have the short URL point to a page on the bad guys site which will perform a 302 with the payload in the Location header. This story/video on Help Net Security from a couple years ago tried to warn us.
I wish links didn’t count against the 140 char limit on twitter so these shortened URLs wouldn’t be as needed. Oh well, looks like another instance where features trump security.
(Now time to use bit.ly to make a short link of this blog post so I can tweet it)