Eli Grey

bit.ly vulnerabilities

The bit.ly long url shortening service has an API that is used by their bit.ly bookmarklet to view past bit.ly url shortenings which can be used by any website.

I for one don’t feel like bit.ly users’ shortened link histories should be accessible over an unauthenticated API. Website owners can use JavaScript to find out all the sites users have shortened using bit.ly. The history API is identical to the bit.ly url stats API except it has history.php as its endpoint instead of feed.php.

I have quickly thrown together an example of what I can do with your bit.ly history. This example only works in Firefox, Safari, and Google Chrome because I only spent a few minutes making it and only tested it in Firefox while I made it.

Update: Fixed it to stop saying “Loading” if you have never used bit.ly. It now gives you a message to use bit.ly on a few long URLs and reload the page.