Minor mischief: create redirect loops from predictable short URLs
I was checking out the new bit.ly URL shortening service from Betaworks.
I started wondering how random the URLs from these URL-shortening services could be. I wrote a tiny script the other day to turn URLs given on the command line into short URLs via is.gd:
import urllib, sys
for arg in sys.argv[1:]:
print urllib.urlopen(
'http://is.gd/api.php?longurl=' + arg).read()
I ran it a couple of times to see what URLs it generated. Note that you have to use a new URL each time, as it’s smart enough not to give out a new short URL for one it has seen before. I got the sequence http://is.gd/JzB, http://is.gd/JzC, http://is.gd/JzD, http://is.gd/JzE,…
That’s an invitation to some minor mischief, because you can guess the next URL in the is.gd sequence before it’s actually assigned to redirect somewhere.
We can ask bit.ly for a short URL that redirects to our predicted next is.gd URL. Then we ask is.gd for a short URL that redirects to the URL that bit.ly gives us. If we do this fast enough, is.gd will not yet have assigned the predicted next URL and we’ll get it. So the bit.ly URL will end up redirecting to the is.gd URL and vice versa. In ugly Python (and with a bug/shortcoming in the nextIsgd function):
import urllib, random
def bitly(url):
return urllib.urlopen(
'http://bit.ly/api?url=' + url).read()
def isgd(url):
return urllib.urlopen(
'http://is.gd/api.php?longurl=' + url).read()
def nextIsgd(url):
last = url[-1]
if last == 'z':
next = 'A'
else:
next = chr(ord(last) + 1)
return url[:-1] + next
def randomURI():
return 'http://www.a%s.com' % \
''.join(map(str, random.sample(xrange(100000), 3)))
isgdURL = isgd(randomURI())
print 'Last is.gd URL:', isgdURL
nextIsgdURL = nextIsgd(isgdURL)
print 'Next is.gd URL will be:', nextIsgdURL
# Ask bit.ly for a URL that redirects to nextIsgdURL
bitlyURL = bitly(nextIsgdURL)
print 'Step 1: bit.ly now redirects %s to %s' % (
bitlyURL, nextIsgdURL)
# Ask is.gd for a URL that redirects to that bit.ly url
isgdURL2 = isgd(bitlyURL)
print 'Step 2: is.gd now redirects %s to %s' % (
isgdURL2, bitlyURL)
if nextIsgdURL == isgdURL2:
print 'Success'
else:
print 'Epic FAIL'
This worked first time, giving:
Step 1: bit.ly now redirects http://bit.ly/fkuL8 to http://is.gd/JA9 Step 2: is.gd now redirects http://is.gd/JA9 to http://bit.ly/fkuL8
In general it’s not a good idea to use predictable numbers like this, which hardly bears saying as just about every responsible programmer knows that already.
is.gd wont shorten a tinyurl.com link, as tinyurl is on their blacklist. So they obviously know what they’re doing. The bit.ly service is brand new and presumably not on the is.gd radar yet.
And finally, what happens when you visit one of the deadly looping redirect URLs in your browser? You’d hope that after all these years the browser would detect the redirect loop and break it at some point. And that’s what happened with Firefox 3, producing the image above.
If you want to give it a try, http://bit.ly/fkuL8 and http://is.gd/JA9 point to each other. Do I need to add that I’m not responsible if your browser explodes in your face?
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
July 6th, 2008 at 4:19 pm
[…] On the fluidinfo blog today: “Minor mischief: create redirect loops from predictable short […]
October 12th, 2008 at 8:34 am
[…] public links >> shorturl Minor mischief: create redirect loops from predictable short URLs Saved by nathy on Fri […]