Today, I want to raise an important issue of information security and discuss short link services that are used within companies and by specific groups of employees. A short link service can be useful for simplifying the sharing of long URLs, but its use also carries certain risks. Let’s take a closer look.
- What Are Corporate Short Link Services?
- Definitions and Key Concepts
- Practical Example
- Potential Risks of Using Corporate Short Link Services
- 1. Confidential Information Leak
- 2. Lack of Protection Against Scanning
- 3. Internal Abuse
- Conclusions and Recommendations
- 1. People Will Always Look for Simple Solutions
- 2. Use Protection Against Scanning
- 3. Automated Link Checking
- 4. Control Service Accessibility from Outside
- 5. Internal Risks
- Practical Measures to Improve Security
- Conclusion
- Additional Tips for Security Researchers
What Are Corporate Short Link Services?
Most often, these services allow you to shorten long links like
supercompany.com/category/post/id123/longggggggggg-post-name.html
into a short link like:
sprcmpn.com/link1
This makes life easier for employees and helps save space in emails or messages. However, despite its convenience, these services can pose security threats.
In such services, confidential data and links should not be present, and internal company policies should prohibit their placement. Nevertheless, employees sometimes, unknowingly or for convenience, place links to critical information on such resources.
Definitions and Key Concepts
Before moving on to discussing the risks, it is important to define a few key terms related to short link services:
- Short link service — A tool that allows you to convert a long URL into a shorter and easier-to-use link.
- Confidential information — Data that has restricted access and must be protected from unauthorized use.
- Mass scanning — An automated process of going through a large number of URLs to find potential vulnerabilities.
- DOLGScan — A tool used to analyze and scan URLs for vulnerabilities and critical information.
These definitions will help you better understand the risks that arise when using corporate short link services.
Practical Example
Recently, I came across one such corporate service. The situation occurred while I was talking with an employee of a mid-sized company in Europe, which we will call SuperCompany. On their website, I saw a short link like sprcmpn.com/L1Nk123, which led to templates for website visitors.
I became curious about how this service works (I intentionally conceal the name of the service and the company). Access to posting links was only available within the corporate network, but short links could be opened externally. This meant a potential risk because the data could be accessed if the structure of the service was known.
I assumed that each link had its own ID stored in the database and linked to a short alias like L1Nk123, which led to the main long link. Using my DOLGScan tool and specifying a range, I managed to discover a link like site.com/r/1. Then, I used a scanner to collect all links like:
site.com/r/1
site.com/r/2
…
site.com/r/NNNNNN
Surprisingly, the short link service did not react to the scanning and did not block my host. However, in the collected data, I found links to critical documents and internal pages of company.
I wrote a detailed report and contacted the company’s representatives to report the vulnerability.
Potential Risks of Using Corporate Short Link Services
Using corporate short link services comes with several risks that companies often overlook. Here are the main ones:
1. Confidential Information Leak
Short links can contain confidential information that becomes accessible to third parties if such links are not properly secured. Even if company policy prohibits this, human error cannot be completely ruled out.
2. Lack of Protection Against Scanning
Short link services that do not use mechanisms to prevent mass scanning can be compromised, allowing attackers to access restricted data. This applies to both internal and external use of the service.
3. Internal Abuse
Even if the service is not available externally, there is always a risk that someone within the company may use it for malicious purposes. Employees may intentionally or accidentally generate links to confidential documents, which could then end up in public access.
Conclusions and Recommendations
This story emphasizes the importance of information security when using even seemingly harmless tools like short link services. Here are some conclusions and recommendations for companies using such services:
1. People Will Always Look for Simple Solutions
Even if official rules prohibit employees from sharing links to confidential information, they will still do it for convenience. It is important to understand the human factor and strive to raise employees’ awareness of potential risks.
2. Use Protection Against Scanning
Short link services must have mechanisms to protect against mass scanning. This could include rate-limiting requests from one IP, using CAPTCHA, or tracking suspicious activity.
3. Automated Link Checking
Automating the verification of links for critical information can help reduce the risk of leakage. This includes regularly analyzing all created links for confidential information and deleting or blocking such links.
4. Control Service Accessibility from Outside
Even if a short link service is used only within the company to add new links, but still allows external access to these links, it represents a potential risk.
5. Internal Risks
Even if the service is not available externally, there is always a risk that an employee within the network might collect all the links and find critical information.
Practical Measures to Improve Security
Here are a few additional measures that can help improve the security of corporate short link services:
- Authentication and Authorization: Require authentication to access the short link service and control who can create and use links.
- Logging and Monitoring: Enable logging and monitoring of all actions related to the use of the service to respond promptly to possible incidents.
- Link Expiration: Set expiration limits for short links to minimize the risk of data leaks through outdated links.
- Regular Security Audits: Conduct regular audits and security checks to ensure the service is protected and contains no vulnerabilities.
Conclusion
Short link services are a convenient tool, but they carry potential security risks. It is important to understand that employees may misuse these services without fully realizing the threats. Companies should implement measures to protect against scanning, automate link verification for confidential information, and minimize external access risks.
For security researchers, such situations are an important reason to pay attention to corporate data protection practices. Any tool, even one like short links, can become a vulnerability if used improperly or left unsecured.
Additional Tips for Security Researchers
- When discovering such services, always analyze the possibility of scanning them and identifying critical information.
- Report any vulnerabilities found to the appropriate authorities to minimize potential risks.
- Use your own tools, such as scanners, to find weaknesses in corporate services.
