Using external URL shortener services to create better-looking links to internal company documents, sensitive files and internal websites is a practice that company employees should avoid, says security researcher Shubham Shah, as it can result in those documents being accessed by individuals with malicious intentions.
As Shah and social engineer Christina Camilleri were searching for bugs to submit to the Etsy bug bounty program, they noticed that the company uses a dedicated URL shortener domain (http://etsy.me), but that the service is actually provided by Bit.ly via a SaaS arrangement.
With dirs3arch, an open source command line tool designed to brute force directories and files in websites, they tested this URL shortener service, and discovered a number of links that have been generated by the Etsy staff.
The links included some of Etsy’s internal URLs, but also Google Doc forms and other sensitive links.
And Bit.ly is not the only service that opens these unexpected doors.
“Applying this same method over other URL shortners will also work, however they may rate limit you so you may need to use proxies in order to extract as much as possible, blindly,” Shah noted.