Session 11C: Web Exploitation
Authors, Creators & Presenters: Zhibo Zhang (Fudan University), Lei Zhang (Fudan University), Zhangyue Zhang (Fudan University), Geng Hong (Fudan University), Yuan Zhang (Fudan University), Min Yang (Fudan University)
PAPER
Misdirection of Trust: Demystifying the Abuse of Dedicated URL Shortening Service
Dedicated URL shortening services (DUSSs) are designed to transform trusted long URLs into the shortened links. Since DUSSs are widely used in famous corporations to better serve their large number of users (especially mobile users), cyber criminals attempt to exploit DUSS to transform their malicious links and abuse the inherited implicit trust, which is defined as Misdirection Attack in this paper. However, little effort has been made to systematically understand such attacks. To fulfill the research gap, we present the first systematic study of the Misdirection Attack in abusing DUSS to demystify its attack surface, exploitable scope, and security impacts in the real world. Our study reveals that real-world DUSSs commonly rely on custom URL checks, yet they exhibit unreliable security assumptions regarding web domains and lack adherence to security standards. We design and implement a novel tool, Ditto, for empirically studying vulnerable DUSSs from a mobile perspective. Our large-scale study reveals that a quarter of the DUSSs are susceptible to Misdirection Attack. More importantly, we find that DUSSs hold implicit trust from both their users and domain-based checkers, extending the consequences of the attack to stealthy phishing and code injection on users’ mobile phones. We have responsibly reported all of our findings to corporations of the affected DUSS and helped them fix their vulnerabilities.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations’ YouTube Channel.
Permalink
*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/EbIyEKJdRLQ?si=wwsDxBZbXD4snTi9
