Hacker News new | past | comments | ask | show | jobs | submit login
Shrturl: Faking the web since 1942 (shrturl.co)
258 points by priteshjain on June 5, 2014 | hide | past | web | favorite | 78 comments

It seems it's been shut down already [1] --apparently after threats of legal action. I can see though how such a site would easily become a major liability honeypot for anyone.

[1] http://t.co/ctKD8VcLpp

Note that this is faked a page using the tools that this site offers.

That is, the site is not shutting down.

Come on man, really?

Oh, you unbelievably clever person. I was all ready to type up a serious reply and everything.

Well done, my friend.

I think a lot of us have come up with variations on this idea over the years. (I know I have. The holy grail is surreptitiously installing a Greasemonkey script on a co-worker's computer, so that the URL is the real URL.)

But what's changed in the last year or two is that people are now much more familiar with URL shortener links. Every major media site is using them, and just about everybody understands what their purpose is.

I can totally see how someone who would spot a phishing page from a mile away because of the strange URL might overlook the fact that a URL shortener doesn't actually redirect you to the legit page, but rather presents a spoofed version.

I tried it on a tech-savvy friend, taking a news story about GM firing engineers over the recall and changing the headline to say that they fired Bob Dole. His immediate reaction was to think that the WSJ got hacked, with the secondary possibility that Bob Dole really did work for GM somehow. He didn't realize what was going on until I posted a second version saying he had been fired by GM.

Be careful out there, kids.

An example of a link to a GitHub page: http://shrturl.co/VUYHJ. (Original: https://github.com/mozilla/rust/issues/14657 .)

I see that SHRTURL deleted the page title, which users might also notice – but it’s better than keeping the original title, which would now be wrong. SHRTURL also can’t handle GitHub’s custom font with which they render their icons, so the site logo is missing. And you are logged out in the linked page, which is pretty visible, but there’s no way SHRTURL could get around that.

The OP's site is really clever. Your Github page shows that it significantly lowers the barrier to MTM attacks. I wonder what ways there are to protect users against this kind of spoofing.

Check the URL bar carefully?

Indeed, an actual link shortener would show github.com/yada/yada/yada. Since it only redirects you. Notice shrturl.co doesn't.

Unsophisticated journalists routinely fall for Onion articles getting picked up as actual news items.

I can only wonder how often they're going to get pranked by something that really does look like a news site but for a subtle change.

Oh yeah. What amuses me even more is people finding a link to Onion-style blog post and not realising that it's parody/sarcasm/whatever (e.g. Swedish House Mafia is sued by Swedish Mafia for copyright infringement).

Sometimes I point that out, and usually get a response "how do you know it's not real? do you know all the news of the world?". People like that make me believe in the trolling power of this tool.

You might like this: http://literallyunbelievable.org/

Soon we'll have people posting tweets with links to BBC/CNN articles with bogus info in it, and other journalists will start taking that information.


Some pretty big news organizations have run with Onion sources and / or wikipedia falsehoods.

There was that one case where it created a circular reference too.

[E.g. Journalist creates an unsubstantiated article about something on Wikipedia. Eventually Wikipedia cites said article as a reference. ]

Fox News was one of them IIRC.

This is pretty funny and well done - but doesn't a real short url just redirect to the original so you end up with the full url in your browser bar?

Of course we all know how much attention most people pay to what their browser is telling them.

Well, and given recent UI changes to the address bar from both Apple [0] and Google [1] - I'd say that people will begin paying even less attention to URLs.

Trolls rejoice.

[0] http://appleinsider.com/articles/14/06/04/os-x-yosemite-firs...

[1] http://www.zdnet.com/google-experimenting-with-hiding-urls-i...

Google is hiding PATH not DOMAIN_NAME, which makes this phishing activity EASIER to detect. That's the point of the feature!

Except it isn't phishing.

That's debatable. I think the only difference is maybe the intent of the attacker?

As I understand it, phishing is when you obtain sensitive information from a user while impersonating a site the user trusts. I don't suppose there's any exchange of sensitive information taking place here (nor is it possible if I am not mistaken, unless the website creator has any bad intent).

Removing http:// from the url was bad enough. Now they are going to only show the domain? I'm so glad I don't use chrome anymore. It's this kind of obnoxious "we know better than you and won't let you configure otherwise" bullshit that made me hate it.

Even if it was customizable, the defaults is something most people don't change.

Case and point: IE Toolbars. People hate them but never remove them. Ever. Even as those toolbars are making their browser take minutes to load any page.

That used to be true, but these days IE is pretty aggressive about disabling things, and telling you when they're slowing you down. Doesn't help everyone but seems to help some.

The chrome setting is behind a config flag.

Those changes should make this kind of thing more obvious, not less, unless you can figure out a way to host the altered version on github.com.

Using github.io? As the URL bar loses importance then people will just tend to ignore it, and on first glance (and probably for anyone who's not familiar with github pages) they will both look as valid.

You can't use github.io, only [project-name].github.io. Sure they could use a fake-but-similar project name, but then again, they already could with github.com/[project-name]. I don't see the big difference for the user.

Did you mean http://shrturl.co/EPUi5 ?

Why don't they just bold the domain? Chrome sort of grays the rest of the URL, but the difference isn't stark enough.

Couldn't you change the browser display of the url without reloading the page such that you can mimic the url as well.

There's no way any browser would allow that and no reason for it. It would make phishing orders of magnitude more effective.

If you're feeling particularly nefarious, run the URL that Shtrurl.co gives you through often used and more readily "trusted" shorteners like bit.ly or tinyurl.com.

Here's one (Amazon's new phone, title from a /r thread): http://shrturl.co/Wme7K

Dying here, nice start to the morning, thanks

that's hilarious. :)

We had one of these posted earlier today about AH buying YC:


I'm the one who wrote that. :) It was meant to be a joke to get some twitch reactions out of a few friends, but apparently spread like wildfire.

TechCrunch reached out earlier this morning. They are not happy with me.

Apologies for flagging it but it looked good enough that I thought some real damage might come of it. YC being implicated in a thing like that would have looked really bad.

You really shouldn't have used a real persons by-line there, that made it much more believable. Still, kudos for the prank, it was funny, especially the insane valuation.

Oh I wasn't the one who submitted it to HN, I really only meant for it to deceive my friends, haha. I understand though! Fine by me.

And thanks! Glad you enjoyed it. I've resolved it with the reporter in question, we're all good.

I was on mobile when I say this and didn't even notice the url. I can see how people on mobile atleast chrome can fall for stuff like this.

PaaS? (Phishing as a Service)?


One suggestion. Put an annoying top menu / banner up and pretend to load the target content in a frame. There are some url shorteners / sites that do that sort of thing. To a lot of people it will be annoying, but it will hide the fact that they're not actually being served from the target web site.

Tried it on hacker news: http://shrturl.co/AtYui

I knew something was going to be changed, and still fell for it. Good job.

Fun FF29.0.1 (windows 7) doesn't apply I'm guessing link CSS so everything is bright blue links looks really fake. Refreshed the page a few times to check, it stayed.

Nah, it's also on Chromium on Arch. It looks like (via the requests panel) it's not loading news.css for some reason, even though it's in the source.

Did the same: http://shrturl.co/6PcYY

Anything from shrturl.co appears to be blocked at work for me. So I guess we already don't trust it.


    Warning: file_get_contents() [function.file
    get-contents]: php_network_getaddresses: getaddrinfo
    failed: Name or service not known in /nfs/c04/h02/mn
    /180736/domains/shrturl.co/html/create.php on line 18

    Warning: file_get_contents(http://gnehmeh)
    [function.file-get-contents]: failed to open stream:
    php_network_getaddresses: getaddrinfo failed: Name or
    service not known in /nfs/c04/h02/mnt/180736/domain
    /shrturl.co/html/create.php on line 18

This is really funny, but some points for improvement:

1. The editing UI is a bit shaky, for example - not handling links that great.

2. It doesn't replicate a site perfectly (This shows even on simple sites like HN)

3. If you click on a link you go back to the original site.

A modest proposal for improvement - check out TOMODO API.(http://tomodo.com/api/).

Their site allows for exactly this kind of modification but, being a commercial startup, is much more polished. They already solved problems 2 and 3 for you and you can use that tech through the API.

Bitdefender Free Edition blocks http://shrturl.co/ (says it's phishing) but doesn't block http://shrturl.co/AtYui or other short URLs generated with the site. Seems like pretty poor logic.

I can think of a nefarious way to use this: Amazon.com price matching at brick and mortar stores like Target.

Step 1 - Find a product you want to buy

Step 2 - Shorten it and change the price manually to a "believable" number

Step 3 - Go into Target and show the price to a customer service agent (usually not tech saavy) and they will see that it looks like Amazon.

Step 4 - Profit???

Well, every shortened URL I want to access goes through http://unshort.me/ . Not only I don't like surprises, but I also hate being tracked for no reason and I'm hoping unshort.me doesn't send everything their way anyway.

Gotta` prepare for HN dude...

Warning: mysqli::mysqli() [mysqli.mysqli]: (42000/1203): User db180736 already has more than 'max_user_connections' active connections in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/inc/bootstrap.php on line 18

Not only that. Gotta prepare to never show messages like this. User 'db180736' is a bit too much information for the outside world.

I just make my own urls look correct, easy, and easy to type (not 988 characters of goop).

Tech from 1942...

Warning: mysqli::mysqli() [mysqli.mysqli]: (42000/1203): User db180736 already has more than 'max_user_connections' active connections in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/inc/bootstrap.php on line 18

Warning: mysqli::real_escape_string() [mysqli.real-escape-string]: Couldn't fetch mysqli in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/view.php on line 6

Warning: mysqli::query() [mysqli.query]: Couldn't fetch mysqli in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/view.php on line 7

Fatal error: Call to a member function fetch_object() on a non-object in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/view.php on line 9

Reminds me of the great prank vaticano.org in 1998: http://0100101110101101.org/vaticano-org/

A real piece of art.

http://tinyur1.co is a better alternative, don't you think?

Could turn this into a way for marketers to tweak a page before sending out an email or social media blast

It could but should not. A better product for that might be Optimizely, where you can use your actual URL. However, I once worked with an extremely obsessive owner of a business and she sat by me each time I made any changes to the copy on the website to make sure it flowed correctly when in situ, I would have sent this to her to make my life a little easier had it existed back then.

Actually, surprisingly good for our our marketer/designer to quickly mock up small changes to our landing page. We wouldn't share it publicly, but for internal use kinda neat.

http://tinyur1.co is the alternative!

Opens world for kid phishers :)

Almost good, but no images (tried with google.com)

Lost all my work due to pressing the backspace key :(

This is awesome!

Takes rickrolling to a whole new level.

really well done and funny. i like this power.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact