WingNews logo WingNews
top | item 44761230

(no title)

MajimasEyepatch | 7 months ago

It may help prevent linkjacking. If an old URL no longer works, but the goo.gl link is still available, it's possible that someone could take over the URL and use it for malicious. Consider a scenario like this:

1. Years ago, Acme Corp sets up an FAQ page and creates a goo.gl link to the FAQ.

2. Acme goes out of business. They take the website down, but the goo.gl link is still accessible on some old third-party content, like social media posts.

3. Eventually, the domain registration lapses, and a bad actor takes over the domain.

4. Someone stumbles across a goo.gl link in a reddit thread from a decade ago and clicks it. Instead of going to Acme, they now go to a malicious site full of malware.

With the new policy, if enough time has passed without anyone clicking on the link, then Google will deactivate it, and the user in step 4 would now get a 404 from Google instead.

discuss

order

dundarious|7 months ago

In this little story, what's the difference if the direct ACME URL was used? What does the goo.gl indirection have to do with anything?

xp84|7 months ago

Goo.gl was a terrible idea in the first place because it lends Google's apparent legitimacy (in the eyes of the average "noob") to unmoderated content that could be malicious. That's probably why they at least stopped allowing new ones to be made. By allowing old ones, they can't rule out the Google brand being used to scam and phish.

e.g. Imagine SMS or email saying "We've received your request to delete your Google account effective (insert 1 hour's time). To cancel your request, just click here and log into your account: https://goo.gl/ASDFjkl

This was a very popular strategy for phishing and it's still possible if you can find old links that go to hosts that are NXDOMAIN and unregistered, of which there are no doubt millions.

mattmaroon|7 months ago

Only insofar as Google might wish to prevent it since their brand was on the shortened url you clicked to get there. And people not having malware is surely good for Google indirectly.

Presumably ACME used the link shortener because they wanted to put the shortened link somewhere, so someone’s going to click things like these. If Google can just delete a lot of it why not?

MajimasEyepatch|6 months ago

As the others have mentioned, the goo.gl step isn't necessary for linkjacking, but it is a reputational risk for Google.