Security researcher finds a way to exploit the carelessness of employees who pass sensitive files through URL shorteners

Sep 23, 2015 13:01 GMT  ·  By

The usage of URL shorteners inside small or large companies is putting their data at risk, if employees use them to share sensitive information via a service not designed for such operations.

URL shorteners are Web services that allow long links to be compacted into a smaller URL, easier to host and track via social networks.

Because they are widely useful for marketing departments, most companies, to avoid having to set up public accounts, use the enterprise offering of services like Bit.ly to set up their own internal URL shortening service.

Because URL shorteners in general also support pretty URLs, besides social media campaigns, sometimes employees also use them to shorten the URL of important sensitive and private documents, to share with each other inside the company.

Shubham Shah, a security researcher from Sydney, Australia, working together with Christina Camilleri, a pentester and social engineer from San Francisco, has experimented with a way to extract sensitive links from companies that deploy Bit.ly as their URL shortener.

The method is only tested on Bit.ly-powered URL shorteners

He came across his discovery while participating in a bug bounty program, and tested his theory using a company's [redacted name, see end of page disclaimer] URL shortener, xyz.me, but this method can be applied to any company that uses Bit.ly for shortening links.

To detect if the service was running Bit.ly in a SaaS setup, he first confirmed his suspicions by accessing xyz.me/debug, which should provide a standard page that looks like the one attached to this article.

Once this detail confirmed, he used dirs3arch, a Python application for carrying out brute-force attacks, to scan the local Bit.ly endpoint for any active links.

By leaving the brute-forcing application running for only 5 minutes, he was able to uncover active short links that led to various "company" pages, a few of which were Google Docs documents.

Keep in mind that this was only a theory, and if an attacker would carry out longer brute-force attacks, there are high chances they would be able to discover, at one point or another, sensitive or private documents (containing passwords or financial details) which negligent employees passed through the company's URL shortener.

Rate limits can be bypassed using proxies

Bit.ly comes with protection against this types of attacks, in the form of rate limits, but which attackers could easily overstep by using proxies.

As Mr. Shah told Softpedia, "while the issue was demonstrated on the company's URL shortener powered by Bit.ly, the enumeration of shortened URLs is a universal concept that affects not only Bit.ly but also many other URL shortening services."

In the end, the only way to avoid data leaks of this manner is for companies to instruct their employees not to pass the URL of private documents through public-facing URL shorteners.

Even if it's not their fault, we've reached out to Bit.ly for comments on Mr. Shah's experiment.

UPDATE: This article was edited to remove the name of the company used as an example. A generic name was used instead. The correction was suggested by Mr. Shah who felt that the company had no blame in this case study and should not be named.