We recently discovered a Cross Site Request Forgery (CSRF) vulnerability in Bit.ly that is being used by affiliates to insert affiliate links into bit.ly accounts.
A quick primer on CSRF attacks (from wikipedia):
The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated. For example, one user, Bob, might be browsing a chat forum where another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element that references a script on Bob's bank's website (rather than an image file), e.g.,
If Bob's bank keeps his authentication information in a cookie, and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.
With bit.ly, attackers are inserting links of their choice into logged in user's bit.ly accounts. These links appear at the top of the Links History. They are taking advantage of the long cookie expiration for logged in users (2 years I think), and the fact that Bit.ly has no protection mechanisms in place for CSRF attacks.
To see a demo of the CSRF attack, do these things:
- Log into your bit.ly account (you are probably already logged in).
- Visit this page (just adds a shortened link to BrandVerity's home page to your account)
- Go back to your bit.ly account and see the new link.
The specific example we found involved an affiliate that was placing affiliate links into bit.ly accounts. While the links were unlikely to generate a purchase, they were unusual enough that a user would likely click on them to see where they went. This action would drop an affiliate cookie and any purchases made from the merchant by the user would credit the affiliate for the sale.
Here is an example of a CSRF attacked bit.ly account:
We haven't examined the other url shortening services for this vulnerability, but it would be likely that many of them are similarly vulnerable.