URL shortening services, like goo.gl, bit.ly, or ow.ly, are very popular on the Internet nowadays and are frequently used. These services are a good and useful product that make the everyday use of the Internet easier and more pleasant for everyone. They take ugly and long URLs and make them short and easy to remember.
Certain services offer the option of having insight into the click analytics, so that we can track how many sad souls clicked on the link to the Lana Del Rey’s song that we posted on our Facebook profile: http://goo.gl/a1E3J
However, bit.ly took it even further, in addition to offering analytics and having a certain kind of a social network, with allowing users to create custom URLs (for example: http://bit.ly/sikanja takes you to my LinkedIn profile). I find playing with this particularly interesting and I often make custom URLs for lots of different things (by the way, bit.ly is not the only service that offers this feature).
Why am I mentioning these services on the fraud and security blog? They’re infamous for their abuse in spam and phishing attacks, but this time we’re not going to talk about that. In this post, I will show you an example of how improper use of these services can jeopardize both your privacy and the information security of the company you work for. Also, marketing managers will find useful information about spying on the yet unpublished information by their competitors.
The first thing we need to pay attention to is the fact that most URLs shortened through these services become publicly available. This is a clear sign that we need to pay attention to what we shorten. In addition to our private habits in business communication, we also often feel the need to use shortened URLs. We try to be concise and precise. This image can be ruined with long URLs that we, for example, put in a business report.
But shortening URLs that lead to protected content, which is not for everyone’s eyes, such as links to admin panels of websites, can lead to serious information leakage and compromising the information security. I will demonstrate it on the example of bit.ly service how easily someone can get your URLs and/or your protected content and why you should think twice before shortening something confidential.
Collecting data from the social component of bit.ly
As mentioned in the introduction, bit.ly has its social component (http://bitly.com/a/network).If you had connected your bit.ly account to your Twitter account (the most common case), by clicking on the link above you will see all URLs shortened by the people you follow on Twitter. There is another way, with a simple modification of an URL, to “check” whether someone has a bit.ly account and what’s in their link database:
(in my case https://bitly.com/u/joshibeast)
So what can be found by digging through this data? In short, a lot of things that should not be available to third persons. Links to different admin panels, to gdocs tables or even questionable pornographic searches. What we need to pay special attention to is the fact that even the data that is not confidential per se can be abused. I’ll give you a simple specific example of a possible corporate espionage, that illustrates my point pretty well:
Marketing teams of American Express or Visa can know in advance which link Master Card will post on social networks and then they can tailor their own posts according to that.
How can they get this information without hacking and in a legal way?
The answer to this question is bit.ly. Master Card marketing team uses this service for their posts. If we go to their profile, we can see that yesterday (December 3, 2013) they shortened the URL to a hit song of the band Europe – The Final Countdown. This link, at the time of writing this post is still not published: http://bitly.com/1auRg6Q+
In what way can we abuse this?
I believe that those companies are serious enough not to allow the scenario of abuse that we all have in mind now, however, not all companies accept competition in a good and fair manner. So, beware!
As a response to such problems, bit.ly offers the possibility of making the URLs on your profile private, although this resolves the problem only partially. The URLs are not private in the true sense of the word, since anyone can still access them, they just don’t appear publicly with your account. What kinds of risks does such relative privacy bring?
Bad custom URL = bad password
If someone tried to further hide the protected content by creating a custom URL, there’s a good possibility that they made a huge mistake. People have a strong tendency towards using bad passwords. The recent hacking disaster involving Adobe only reminded us about this, for us who work in security, sad fact. I devised a small experiment and gave myself the following task: Think about how a disastrous custom URL to confidential data could look like. The results of the 15-minutes-long experiment are devastating. Unfortunately, people, in addition to using bad passwords, also make bad custom URLs to confidential data. You can see a part of my findings in the table below. And since I don’t want anybody to be hacked, I left out the most severe examples, and emailed their creators with a suggestion to make some changes.
Is there a solution to this problem?
As mentioned before, the need for using these services is real and the services are basically fine as long as they are used in right way. When we talk about the personal usage of these services, the only advice I can give you is to watch what you shorten and what kind of information it gives away about you. You can lose your data, unconsciously lend the attacker a hand in a social engineering attack or be a victim of disloyal competition.As for the usage of these services for internal corporate communication, the matter is somewhat more complex, but with a happy ending.
The first advice that the company should adopt is that the external URL shortening services should not be used to shorten URLs to confidential data.
I will deal with the broad topic of risks and benefits of the usage of various external services for corporate communication and confidential data protection on some other occasion. Right now, I just want to point out that there is a fundamental difference between, let’s say, using Google Drive for storing confidential data and using the bit.ly service for shortening the confidential URLs. The primary, but not the only reason for this is that the privacy with shortening is relative.
However, there is a simple and cheap way to avoid these risks and that doesn’t have any negative impacts on your work processes. On your domain, you can install a free URL shortening service called YOURLS. This is a safe and tested software, and as it is open source as well, all the modifications and additional checks are possible. And if it’s necessary, you can also even limit the access to your links by using a username and password. This way, you will have a service that you host yourself and that depends entirely on you. That’s a great thing for both for stability and security. And the best part is that you can keep shortening with no fear and no limitations.
First time on e-sigurnost.net?
Thanks for reading. E.sigurnost.net is an educational blog about online fraud, privacy and security. However, one of my main interests is defining relations between online security and privacy.
This was my first post in English. Blog is mainly written in Serbian, but my intention is to write posts in English at least once a month. For the other posts, google translate does the trick.
Who am I, you can find out by visiting my LinkedIn profile.
Feel free to like my Facebook page, follow me on twitter or subsrcibe via RSS.