Skip to main content

Of Auto-Authenticating URLs, Shortlinks, and Danger

The road to hell is paved with good intentions, they say.

So, it was a good intention when someone (not me) decided to install a link shortener and send password reset links through it, before producing the printed newsletters that would be sent out to individual members. They would need to type the URLs in by hand, so a shorter URL was a good idea. At least, it must have seemed like it, at the time.

Today I took a look at this system, which I was asked to clean up before it gets used again after several months of being ignored. I admit it didn't click in my mind immediately, but after producing some newsletter content in our staging system and verifying the shortlinks were being recorded properly, it suddenly jumped out of the screen and bit me on the nose:

The shortener was producing sequential links for a bunch of password reset links.

What this meant in practical terms is that two newsletters sent out with password reset links for two different users would send them URLs like http://foo.com/z1 and http://foo.com/z2 and while these were very short for the user to type in they were not easy to type in, if you require "correctly" as part of the measurement of how easy it is. They are so short and the space so condensed that mistyping won't get you a 404, but someone else's entirely valid password reset link. This is terrible. There is a reason password resets give you links with long randomized sequences of characters, and all of those reasons were being thrown out the window.

Turns out, a shortened URL can be too short.
Labels:

Comments

cool-RR said…
Nice observation!
4:30 AM
ashwoods said…
Not only is a short url too easy too mistype, but it is also very easy to hack. Say you only use a link with 6 random characters, upper-lower case letters and numbers. Than it would take a botnet to test all combinations, with only 5000 requests per second:

((((26 + 26 + 10)^6) / 5 000) / 3 600) / 24 = 131.482027

131 days to go through all combinations. So if you have maybe 50 users at a given time resetting passwords, you'll be finding links every 2.6 days on average.
4:57 AM
Anonymous said…
In the old days, we used check digits to catch the vast number of common typos. (The block mode terminals could validate the check digit without round tripping to the mainframe.)

While not addressing the predictability problem, it would address the "oops" problem.
11:05 PM
Post a Comment

Popular posts from this blog

CARDIAC: The Cardboard Computer

I am just so excited about this. CARDIAC. The Cardboard Computer. How cool is that? This piece of history is amazing and better than that: it is extremely accessible. This fantastic design was built in 1969 by David Hagelbarger at Bell Labs to explain what computers were to those who would otherwise have no exposure to them. Miraculously, the CARDIAC (CARDboard Interactive Aid to Computation) was able to actually function as a slow and rudimentary computer.  One of the most fascinating aspects of this gem is that at the time of its publication the scope it was able to demonstrate was actually useful in explaining what a computer was. Could you imagine trying to explain computers today with anything close to the CARDIAC? It had 100 memory locations and only ten instructions. The memory held signed 3-digit numbers (-999 through 999) and instructions could be encoded such that the first digit was the instruction and the second two digits were the address of memory to operat...
1 comment
Read more

Announcing Feet, a Python Runner

I've been working on a problem that's bugged me for about as long as I've used Python and I want to announce my stab at a solution, finally! I've been working on the problem of "How do i get this little thing I made to my friend so they can try it out?" Python is great. Python is especially a great language to get started in, when you don't know a lot about software development, and probably don't even know a lot about computers in general. Yes, Python has a lot of options for tackling some of these distribution problems for games and apps. Py2EXE was an early option, PyInstaller is very popular now, and PyOxide is an interesting recent entry. These can be great options, but they didn't fit the kind of use case and experience that made sense to me. I'd never really been about to put my finger on it, until earlier this year: Python needs LÖVE . LÖVE, also known as "Love 2D", is a game engine that makes it super easy to build ...
Post a Comment
Read more

My Software Job Transition Strategies?

I’ve been spending a good deal of the last two days preparing mentally for starting a whole new challenge as a developer. New things aren’t new to me, but this is different and big enough really call for some Deep Thoughts ™. For one thing, I’ve made a big move from the world of Python web development to totally other Python work and while web development has never been the only thing I do, it has been the only work that paid the bills. That transition isn’t one that bothers me or daunts me, though. Instead, I’m thinking about transitioning to the scope of the work I’m getting into. For a long time, I juggled multiple clients and client projects every day, so no single project usually took up most of my time. Every developer juggles time through the day, but exactly how that works in each company and on each project varies a lot. I was looking for a place that I could really focus in a way that I haven’t for a long time. I think I found that, but now I have to deal with the consequen...
Post a Comment
Read more