“Bitly is more than a weblink shortener”

“Bitly is more than a weblink shortener”

19.Oct.2021

In the wake of a security breach that exposed usernames and hashed passwords, Bitly finds itself in a pickle. In addition to the standard advice about changing your passwords from using the same one across multiple sites or reusing old ones, users are also being told to change their API keys. But if you look at bitly.com/settings, there’s no option for a user to generate a new API key.

 

Bitly offers an API that enables other websites and services to use its link-shortening service without going through a browser plugin or adding long URLs into emails. The company claims it is simple: “Create shortlinks instantly and manage them - add, edit and delete any time.” However, the API is open to abuse.

 

For example, it is possible for hackers to create short URLs using someone else’s username and password, which can then be shared online so that other people unknowingly give up their login information by clicking on them. It also opens up the possibility of creating malware-laden links or phishing sites designed to steal even more usernames and passwords. Bitly has not disclosed whether this sort of attack was responsible for the hack.

HTTPS encryption means that anyone snooping on your browsing session can’t see what you are doing (or spoof pages), but doesn’t mean that the linked site isn't trying to steal your password once you click on it. HTTPS means it is encrypted once its transmitted, but the recipient could easily be sending it unencrypted to another server which then decrypts it.

HTTPS does not mean that no one can see what you are doing, only that the intended recipient cannot without decrypting the message.

However, using a link shortener does offer some protection against this sort of attack because there’s a layer between your web browsing and Bitly’s servers. When someone clicks on a Bitly-shortened URL from Twitter or Facebook, for example, they go directly from their browser to Bitly’s website before being redirected again to the original destination site. The full URL never passes through Bitly’s servers. In fact, Bitly doesn’t know who created the shortened link or where it is pointing.

Unfortunately some websites (e.g. Twitter) don't actually use the full URL when resolving them to shorten them further, leaving you vulnerable to all sorts of attacks that would otherwise be more difficult due to their length, such as passing malicious parameters in the URL or using Javascript embedded into a webpage that may try and send your username/password details back to itself (phishing).

HTTPS also does not mean that no one can see what you are doing because this is down to the site's security policy rather than any technology used by HTTPS . It means that if someone was trying to watch your communications they'd have a much harder time reading them, but it doesn't protect you from the site itself or its policies.

 

If this sort of attack does turn out to be what caused the usernames and passwords to fall into malicious hands in the first place, it’s possible that Bitly was an unwitting accomplice in the hack. The company isn’t very transparent about how this process works. According to their help center, creating a new shortened URL simply involves “entering your link and clicking Shorten! It's that easy!" However, when TechCrunch contacted Bitly for comment, they were told that before any link is created using an API key "it gets passed through our system with corresponding checksums generated by our algorithms." Although no details are given, the company apparently looks for "suspicious activity" before it generates a short URL.

HTTPS doesn't really give you privacy because it's always down to the site and policies they implement (or don't) and anyone who can watch your communications (e.g. ISPs or govt agencies). It does provide some protection against data sniffers though.

A representative from Bitly told us that this process is designed to prevent hackers from creating links that will automatically redirect users to malware sites or trick them into revealing their login credentials: “We block malicious urls using checksums which are constantly being updated as new threats emerge."

Bitly claims that there should be no need for passwords if users monitor who they share links with, but this is slightly disingenuous when there are tools like IFTTT (which Bitly also provides) which allow users to automate the sharing of links without the need for passwords.

It's important to note that you don't need your password in order to share a link - it just uses your login details so anyone using the same computer would be able to do it. Sharing links on social media sites is also mostly automated, so it's not something people usually give too much thought to.

The problem with all of this is that even if you could prevent people from creating links that redirect automatically or steal user credentials, hackers can still create their own accounts and send existing links through their system by following the steps outlined above . The result would be that these links would still be made untrustworthy because you can’t be sure of where they will lead unless you click them yourself.

Bitly says it has more than 100,000 different checksums to prevent users from accessing sites like phishing or malware sites, but as we saw with the recent Heartbleed exploit , no security system is infallible. The problem here isn’t necessarily Bitly; it may just be a case of bad luck and human error. After all, many other services that use shortened URLs aren't affected by this type of vulnerability. However, if Bitly does turn out to be the weak link in the chain then its value as a service is diminished slightly – not everyone who uses shortened links will know how the system works, so they may not appreciate the risk.