Eli Grey

bit.ly vulnerabilities

The bit.ly long url shortening service has an API that is used by their bit.ly bookmarklet to view past bit.ly url shortenings which technically isn’t a ‘vulnerability’ as it is a potentially dangerous ‘feature’.

Viewing bit.ly History

Viewing bit.ly History

I for one don’t think the history for an bit.ly user should have an API accessible without user verification. When combined with their bit.ly url stats API, website owners could use JavaScript to find out all the sites users have shortened using bit.ly and, to make it even more suprising for a user, they could include prefetched screenshots of the website (also included in the url stats API) and saying that a user has been there. The history API is identical to the bit.ly url stats API except you use history.php instead of feed.php.

I have quickly thrown together an example of what I can do with your bit.ly history. This example only works in Firefox, Safari, and Google Chrome because I only spent a few minutes making it and only tested it in Firefox while I made it.

Update: Fixed it to stop saying “Loading” if you have never used bit.ly. It now gives you a message to use bit.ly on a few long URLs and reload the page.

Leave a Reply