► VIDEO | February 12, 2021, 12 pm EDT
Ph.D. Researcher, Boston University
To make their services more user friendly, online social media platforms automatically identify text that corresponds to URLs and render it as clickable links. In this paper, we show that the techniques used by such services to recognize URLs are often too permissive and can result in unintended URLs being displayed in social network messages. Among others, we show that popular platforms (such as Twitter) will render text as a clickable URL if a user forgets a space after a full stop at the end of a sentence, and the first word of the next sentence happens to be a valid Top Level Domain. Attackers can take advantage of these unintended URLs by registering the corresponding domains and exposing millions of Twitter users to arbitrary malicious content. To characterize the threat that unintended URLs pose to social media users, we perform a large-scale study of unintended URLs in tweets over a period of 7 months. By designing a classifier capable of differentiating between intended and unintended URLs posted in tweets, we find more than 26K unintended URLs posted by accounts with tens of millions of followers. As part of our study, we also register 45 unintended domains and quantify the traffic that attackers can get by merely registering the right domains at the right time. Finally, due to the severity of our findings, we propose a lightweight browser extension that can, on the fly, analyze the tweets that users compose and alert them of potentially unintended URLs and raise a warning, allowing users to fix their mistakes before the tweet is posted.
Beliz graduated from the Electrical and Electronics Engineering school of Middle East Technical University. After a year in the industry as a software engineer, she began pursuing her Ph.D. at Boston University. Beliz is currently in her sixth semester and has published three papers in the area of web security. Since declaring cybersecurity as her area of interest she has worked closely with Dr. Manuel Egele and Dr. Gianluca Stringhini in their security lab, (SeclaBU) at Boston University.