Bit.ly has partnered with security firms to bolt improved anti-spam and malware protection onto the URL shortening service. VeriSign’s iDefense IP reputation service will be used to screen against links that point to blacklisted sites hosting exploits, malicious code, botnet command and control servers or other nefarious …
dont they use a custom ua to request those urls?
ok so i made a page that returns the ua of the request in the title and shortened it with bit.ly
i got the title back as "bitlybot" (bitly bot is the ua that bit.ly uses) then i made it so it would "cloak" the page when bit.ly was requesting it <a href="http://bit.ly/cloakua">http://bit.ly/cloakua</a> now you get different page if bit.ly requests it rather than a regular user. this is even better if you know all bit.ly ip then you can do ip based cloaking which is even better
i know this is a simple attack but i think it demonstrates my point
Couldnt they cut out all the middle men and just let Google integrate it with their safe browsing api?