Closed Bug 1767030 Opened 3 years ago Closed 2 years ago

Valid Hardcoded Bit.ly API Key

Categories

(Websites :: Other, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: geeknik, Assigned: chutten)

References

()

Details

(Keywords: reporter-external, sec-low, wsec-other, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(2 files)

A valid bit.ly API key (48ecf90304d70f30729abe82dfea1dd8a11c4584) was found hardcoded in the following Mozilla asset location:
https://probes.telemetry.mozilla.org/static/js/main.e92545e1.chunk.js

This API key allows for the creation of bit.ly links:
https://api-ssl.bitly.com/v3/shorten?access_token=48ecf90304d70f30729abe82dfea1dd8a11c4584&longUrl=https://www.google.com

{"status_code":200,"status_txt":"OK","data":{"url":"https://bit.ly/3kniZ7p","hash":"3kniZ7p","global_hash":"3hQYj","long_url":"https://www.google.com/","new_hash":0}}

This API key also allows for the retrieval of information from a shortlink:
curl -H 'Authorization: Bearer 48ecf90304d70f30729abe82dfea1dd8a11c4584' -X GET https://api-ssl.bitly.com/v4/bitlinks/bit.ly/3kniZ7p

{"created_at":"2022-04-29T14:08:51+0000","id":"bit.ly/3kniZ7p","link":"https://bit.ly/3kniZ7p","custom_bitlinks":[],"long_url":"https://www.google.com/","title":"Google","archived":false,"created_by":"o_7tijrtg215","client_id":"a5e8cebb233c5d07e5c553e917dffb92fec5264d","tags":[],"deeplinks":[],"references":{"group":"https://api-ssl.bitly.com/v4/groups/Be5m7y2RZXD"}}

It may also be possible to update already created short links in order to redirect users to unexpected locations. Please see the API documentation at https://dev.bitly.com/api-reference for more information on how this key may be abused.

Thank you.

Flags: sec-bounty?
Assignee: nobody → gene

It may also be possible to update already created short links in order to redirect users to unexpected locations.

Brian, can you attempt to modify the https://bit.ly/3kniZ7p link you created to a new URL to verify this?

Flags: needinfo?(geeknik)

(In reply to Gene Wood [:gene] from comment #1)

It may also be possible to update already created short links in order to redirect users to unexpected locations.

Brian, can you attempt to modify the https://bit.ly/3kniZ7p link you created to a new URL to verify this?

Done. I've tried every operation in their API in an attempt to modify that URL and have been unable to do so. Could it happen? Sure. Will it happen? Probably not.

Flags: needinfo?(geeknik)

Chris,
Could you look at the use of this bit.ly API key that appears to have been provisioned by Raluca-Elena Podiuc ( scorpia_04@yahoo.com ) back in 2014 and is present in the frontend code in telemetry-dashboard and by extension probe-dictionary? I don't think this API key is meant to be surfaced in frontend code as it gives clients the ability to act as Raluca's personal bitly account.

Can you point me to who may be able to update telemetry dashboard to either remove this bitly functionality or change it so that the API key is held server side instead of client side?

Flags: needinfo?(chutten)

I can update the telemetry dashboard and probe dictionary, though I"m approaching EOW here. The API use is client-side so using it server-side is not something I think can be done without some more interesting (time-consuming) changes.

Its use is in providing shortlinks for sharing specific views of these two websites, if that is helpful context.

Flags: needinfo?(chutten)

I'm adding :relud here to be someone who's able to throw a couple more hours at this if it needs immediate action this week.

I can update the telemetry dashboard and probe dictionary,

I suspect there's not a lot of value in that since it would still be public

The API use is client-side so using it server-side is not something I think can be done without some more interesting (time-consuming) changes.

Ya, makes sense. Maybe the functionality (of provisioning bitly links) could just be disabled?

if it needs immediate action this week

I don't think it does. It's been public since 2014, I don't see an interesting exploit that an attacker could do with it that would indicate a high risk.

Assignee: gene → chutten

Seems like we have two things to handle: the API key, and the properties that use it.

For the API key: :gene, do you know if it's ours? Are we able to deprovision it?

For the web properties: I'm inclined to remove the URL shortening capability. I love that feature, and for the Measurement Dashboard specifically it's wildly useful, but that's the level of investment we can devote to those websites at this time.

Flags: needinfo?(gene)

:gene, do you know if it's ours? Are we able to deprovision it?

No, it belongs to the developers personal bit.ly account : Raluca-Elena Podiuc ( scorpia_04@yahoo.com )

After we remove it we could just report it to bit.ly as having leaked and they could revoke it.

For the web properties: I'm inclined to remove the URL shortening capability. I love that feature, and for the Measurement Dashboard specifically it's wildly useful, but that's the level of investment we can devote to those websites at this time.

I think that makes sense, the effort to remove it is probably very small. If/when there's time to commit to adding it back in correctly (server side) you can.

Flags: needinfo?(gene)

:gene, would you happen to be our contact for bit.ly? Or be able to coordinate with whoever is?

Flags: needinfo?(gene)

:chutten

Yes, I can do that. Are your fixes in probe-dictionary and telemetry-dashboard deployed (such that if we have Bitly revoke the API key now it won't break anything)? If so I'll report the leaked API key to them.

Flags: needinfo?(gene) → needinfo?(chutten)

Measurement Dashboard is clear of the UI, but Probe Dictionary is still showing the UI. It might take until tomorrow morning for the latter to change (maybe it deploys nightly instead of automagically?) I may have to ask around.

Flags: needinfo?(chutten)

I'll take a look tomorrow at https://probes.telemetry.mozilla.org/ and see if the "Get Shortlink" link is still there and if it looks like it's updated I'll file something with bitly here

Alas it appears to still have the UI. I'm asking in the data eng team channels to see how to get that deployed (I guess there must be a manual step someplace, but I can't find docs for it).

There was a manual step indeed. The button was pushed and the new https://probes.telemetry.mozilla.org/ is up and has no shortlink. Should be good to go!

I've confirmed the UI is updated and that we're no longer using the key. I've reported the API key to bitly to have it revoked.

:geeknik

Thanks very much for reporting this issue to us. Now that the issue is fixed, the bug bounty team will be reviewing your report over the upcoming weeks to make a determination of what if any award Mozilla will be granting for this report. It may take up to 3 weeks but know that we've not forgotten this ticket, we have a tracking system and a review cadence that will ensure that all potentially bounty eligible reports get reviewed and acted on

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Keywords: sec-moderatesec-low
Flags: sec-bounty?
Flags: sec-bounty-hof+
Flags: sec-bounty-

Hello Brian,

Thank you again for your report. We discussed your report and decided to award HoF since this bug is not reported on one of our critical or core sites. Please refer to our bounty payouts page for more details: https://www.mozilla.org/en-US/security/web-bug-bounty/.

Can you please let us know how you want to be mentioned on our hall of fame?

Thanks,
Frida

Group: websites-security
Flags: needinfo?(geeknik)

Please attribute Brian Carpenter, Geeknik Labs & Farm

And link the above to https://twitter.com/geeknik

Thank you.

Flags: needinfo?(geeknik)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: