McAfee’s Secure Short URL Service not so secure

When the people at McAfee decided to launch its own URL-shortening service (mcaf.ee), they touted it as “secure” – meaning, that it would guarantee that the shortened link isn’t malicious by scanning and checking it against its Global Threat Intelligence ever-evolving database to filter out the bad ones.

In theory, this sounded like a perfect plan. But what happens when the results are not so perfect?

M86 Security Labs’ researchers have decided to test if the service is working as it should, and chose to test if a phishing URL blocked by Facebook (hxxp://poker100.t35.com/index1.html) would be blocked when clicked on in its shortened form – and the result was not good:

The URL wasn’t blocked by Facebook, and what’s worse – the opened page was sporting a big “This Site Is Safe” sign complete with a green checkmark, which would likely reassure the majority of potential victims and make them enter their Facebook credentials believing the site is legitimate.

The researchers noted that Facebook started blocking this shortened version of the URL after only a few minutes, but this short period of time would be enough to steal a number of credentials. That’s why is best not to follow shortened links posted or sent by people you don’t know, and when they come from people you do know and trust, it’s best to verify with them if they have, indeed, sent the link themselves.

As regards the McAfee URL-shortening service, we can only hope that when it exits the beta testing phase, things like these will no longer be an issue.