The Bitly API key and MSNBC unvalidated redirects
Websense Security Labs™ has observed a spam/fraud campaign whereby a user is redirected from a real news site to a fake news site. In this case the real site is msnbc.com, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key. This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed.
The various methods used by this group include:
- Use of publicly available Bitly API key for redirection
- Use of a famous news site to redirect to a fake news site
- Four redirection steps from real news site to fake news site
- Spreading the link through Google and Yahoo groups and spam mail
Here is the fake news site to which the user is directed, hosted on a legitimate-looking host of hxxp://fcxnws.com/:
So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email.
Example post on Google groups:
Example post on Yahoo groups:
The full redirection chain goes as follows:
hxxp://on.msnbc.com/wMhlWc -->> using Bitly -->> hxxp://prolower.com/?630062283 -->> hxxp://fcxnws.com/
How is the Bitly service abused?
Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL.
For example, if the API key relates to MSNBC's Bitly account then a short URL using hxxp://on.msnbc.com/ will be used instead of hxxp://bit.ly/. In this case the Bitly API key was publicly available and mis-used by the spammers to redirect from hxxp://on.msnbc.com/ through the redirection chain.
To obtain stats for a Bitly URL the '+' character can be added at the end of it. For example the hxxp://on.msnbc.com/wMhlW link becomes hxxp://on.msnbc.com/wMhlWc+ . This reveals some interesting information: in this case, the spam was delivered 2054 times based on the click count.
Statistics from Bitly's data:
How are Bitly protecting their users?
Bitly are currently blocking the redirection page at the time of writing. Kudos to them.
More related abuse vectors on MSNBC
During this investigation Websense observed another flaw with similar impact. The following logout page has an unvalidated redirect flaw that can be used to send a user anywhere on the Internet.
In this case it's the Google search engine, but it can be a malicious website. Bitly uses the nbcnews.to domain when shortening URLs from MSNBC. The example with the unvalidated logout page above would be shortened by bitly as follows:
This means that the user will see a valid shortened URL from Bitly that belongs to NBC News and redirects to a valid NBC News domain. However the next step is another redirection that could lead anywhere on the Internet. This method may trick users into believing that this is a valid NBC news URL, leading to a double level of confusion for the victim as well as for security filters.
We have contacted the MSNBC team to alert them to these issues.
Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:
- Stage 2 (Lure) – ACE protects against lure email messages containing the threat, as well as other type of lure examples.
- Stage 3 (Redirects) – The Websense product is able to follow each redirect in turn to permit classification.
Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login.
All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe.
You can read about Bitly's API best practices here: http://dev.bitly.com/best_practices.html.
URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view.