URL Shorteners as Attack Vector

Friday, September 25, 2015 @ 01:09 PM gHale

Employees understanding the importance of security and realizing most anything they put out online is a potential leak or attack vector need to grasp that even using URL shorteners could put company data at risk.

URL shorteners are Web services that allow long links to shrink into a smaller URL, easier to host and track via social networks.

Age of New and Different
Breaking with Tradition: Secure ICS Hits Industry
German Steel Mill Attack: Inside Job
IT Getting an OT Education

Because they are widely useful for marketing departments, most companies, to avoid having to set up public accounts, use the enterprise offering of services like Bit.ly to set up their own internal URL shortening service.

Because URL shorteners in general also support pretty URLs, besides social media campaigns, sometimes employees also use them to shorten the URL of important sensitive and private documents, to share with each other inside the company.

Shubham Shah, a security researcher from Sydney, Australia, working with Christina Camilleri, a pen tester and social engineer from San Francisco, found a way to extract sensitive links from companies that deploy Bit.ly as their URL shortener, according to a published report.

Shah discovered the issue while participating in a bug bounty program, and tested his theory using a company’s URL shortener, xyz.me, but this method can works with any company that uses Bit.ly for shortening links.

To detect if the service was running Bit.ly in a SaaS setup, he first confirmed his suspicions by accessing xyz.me/debug, which should provide a standard looking page.

Once this detail confirmed, he used dirs3arch, a Python application for carrying out brute-force attacks, to scan the local Bit.ly endpoint for any active links.

By leaving the brute-forcing application running for only 5 minutes, he was able to uncover active short links that led to various “company” pages, a few of which were Google Docs documents.

If an attacker would carry out longer brute-force attacks, there are high chances they would be able to discover, at one point or another, sensitive or private documents (containing passwords or financial details) which negligent employees passed through the company’s URL shortener.

Bit.ly comes with protection against this types of attacks, in the form of rate limits, but which attackers could easily overstep by using proxies.

One way to avoid data leaks is for companies to instruct employees not to pass the URL of private documents through public-facing URL shorteners.