Xavier Blasco (a.k.a Lerhan) is a 23-year old security researcher on the Detectify Crowdsource Platform. He’s passionate about security and found a way in through bug bounty programs. As an ethical hacker, he is naturally curious in security testing vendors which he is buying from and this time it led to bypassing IDOR protection using URL shorteners. In the following guest blog, he describes this security flaw that led him to access new client contracts on Jazztel’s platform.
After contracting Jazztel (Orange sub-brand) as my Internet provider I got an SMS that had a link to my new contract, but something looked weird…
What is URL shortening
In modern web applications we often come across large URLs that become hard to remember or are not convenient to share due to character limitation. Uniform Resource Locator (URL) shortening is a technique that can make URLs much shorter and still direct the user to the same page. An example could be to shorten the URL https://labs.detectify.com/category/writeups/ to https://dtfy.com/5rp93. URL shortening is also used to beautify links, track clicks and other statistics.
Jazztel shortened URL workflow
Jazztel has a web page for new clients to view their new contract. Upon setting up the contract, they sent the new client an SMS that had a link like the following: https://redacted.com/P5dFa to view their new contract and the link expired after 4 days. This link was a shortened URL and would redirect the user to another page that had a much larger URL due to security reasons, and was operated by a third party application.
The final URL was similar to https://api.example.com/pub/JAZZTEL/da4271c24b5cbtc88756b9f42fbd2475c0ba97da/5c8fe3e8c8f89/, which as you can see, had random alphanumeric characters to prevent Insecure Direct Object Reference (IDOR).
When shortened URLs become an issue
Although shortened URLs can be good for a lot of things, it also can introduce security flaws in some cases. Most of the times shortened URLs link to static pages that should be accessible by any user, but this was not the case in the above scenario.
The link given by Jazztel should only be accessible by the user that received the SMS. After seeing the shortened URL, and given that Jazztel is pretty big and has lots of clients, I quickly thought: “That link looks too short for the amount of clients this company has”.
Passing it through Gobuster
The URL path had 5 alphanumeric characters (https://redacted.com/P5dFa), so I created a list of possible combinations of 5 alphanumeric characters (ex. Yt41L, Hu2iT) and passed it through Gobuster.
The results were quite surprising. After brute forcing 10000 links, I got 30 working URLs that linked to other people contracts, some of them disclosing client name, phone number, national identity number, installation address and the price of the services that the client was contracting.
Out of the 30 working shortened links I got 5 expired links, 22 redirects to notifications for users disclosing just names and where the last 3 linked to new clients contracts disclosing client names, phone numbers, national identity numbers, installation addresses and the price of the services for each user.
image: Contract disclosing clients personal data due to the security flaw. Jazztel has resolved this issue.
Doing the math
Each character position can be a lowercase letter, an uppercase letter or a digit from 0-9. There are 26 possible letters and 10 possible digits for each position, therefore there are 62 possible characters per position (26+26+10). The path is 5 characters long, so the total amount of possible combinations is 916 132 832 (62⁵).
As you have seen before, Gobuster brute forced 10.000 links in about 34 seconds, which means that going through 916 132 832 requests would take around 36 days. Since links expire every 4 days, it would’ve been impossible to get all active links before expiration.
However, assuming that we get 2-4 contracts every 10 000 requests (34 seconds), it means that it would’ve been possible to get around 31 000 contracts that have full details before expiration.
Conclusion and mitigation
When implementing URL shortening it is important to think about what are you going to use it for. If you’re going to create links for static pages that are accessible for every user, it doesn’t matter if the path has 5 or less characters.
On the other hand, if you are trying to create shortened URLs to access sensitive data that should only be accessible by one user, you should implement at least one of the following:
- Authentication: The page that contains sensitive data should only be accessible through authentication, allowing only the authenticated user to access the data.
- High entropy strings: The path string should be large enough so that is impossible to brute force.
Another layer of security could be implementing rate-limiting for requests, making this even harder to brute force.
In this case, Orange changed the path to a 10 characters alphanumeric string, which makes it not feasible to brute force anymore. If you’re wondering, it would take around 91 million years to brute force every combination.
Also if you come across a URL shortener, try to understand what it is used for, you might get lucky and find this same issue elsewhere.
05/17/2019 – Report sent to Orange CERT
05/20/2019 – Orange CERT starts to review the report
05/22/2019 – Vulnerability fixed by increasing path length to 10 alphanumeric characters and preventing the URLs to be indexed by the search engines.
Finally, I would like to congratulate Orange CERT for their fast response and for allowing me to write this post. It’s been a great experience overall, thanks!
Detectify collaborates with 150 handpicked white hat hackers like Lerhan to Crowdsource vulnerability research for our automated web application scanner. Check the security status of your applications using our test bed of 1000+ known vulnerabilities. Sign up for Detectify and start your free 14-day trial today!