Skip to main content

Of Auto-Authenticating URLs, Shortlinks, and Danger

The road to hell is paved with good intentions, they say.

So, it was a good intention when someone (not me) decided to install a link shortener and send password reset links through it, before producing the printed newsletters that would be sent out to individual members. They would need to type the URLs in by hand, so a shorter URL was a good idea. At least, it must have seemed like it, at the time.

Today I took a look at this system, which I was asked to clean up before it gets used again after several months of being ignored. I admit it didn't click in my mind immediately, but after producing some newsletter content in our staging system and verifying the shortlinks were being recorded properly, it suddenly jumped out of the screen and bit me on the nose:

The shortener was producing sequential links for a bunch of password reset links.

What this meant in practical terms is that two newsletters sent out with password reset links for two different users would send them URLs like http://foo.com/z1 and http://foo.com/z2 and while these were very short for the user to type in they were not easy to type in, if you require "correctly" as part of the measurement of how easy it is. They are so short and the space so condensed that mistyping won't get you a 404, but someone else's entirely valid password reset link. This is terrible. There is a reason password resets give you links with long randomized sequences of characters, and all of those reasons were being thrown out the window.

Turns out, a shortened URL can be too short.

Comments

cool-RR said…
Nice observation!
ashwoods said…
Not only is a short url too easy too mistype, but it is also very easy to hack. Say you only use a link with 6 random characters, upper-lower case letters and numbers. Than it would take a botnet to test all combinations, with only 5000 requests per second:

((((26 + 26 + 10)^6) / 5 000) / 3 600) / 24 = 131.482027

131 days to go through all combinations. So if you have maybe 50 users at a given time resetting passwords, you'll be finding links every 2.6 days on average.
Anonymous said…
In the old days, we used check digits to catch the vast number of common typos. (The block mode terminals could validate the check digit without round tripping to the mainframe.)

While not addressing the predictability problem, it would address the "oops" problem.

Popular posts from this blog

On Pruning Your Passions

We live in a hobby-rich world. There is no shortage of pastimes to grow a passion for. There is a shortage of one thing: time to indulge those passions. If you're someone who pours your heart into that one thing that makes your life worthwhile, that's a great deal. But, what if you've got no shortage of interests that draw your attention and you realize you will never have the time for all of them?

If I look at all the things I'd love to do with my life as a rose bush I'm tending, I realize that careful pruning is essential for the best outcome. This is a hard lesson to learn, because it can mean cutting beautiful flowers and watching the petals fall to the ground to wither. It has to be done.

I have a full time job that takes a lot of my mental energy. I have a wife and a son and family time is very important in my house. I try to read more, and I want to keep up with new developments in my career, and I'm trying to make time for simple, intentional relaxing t…

The Insidiousness of The Slow Solution

In software development, slow solutions can be worse than no progress at all. I'll even say its usually worse and if you find yourself making slow progress on a problem, consider stopping while you're a head.

Its easy to see why fast progress is better: either you solve the problem or you prove a proposed solution wrong and find a better one. Even a total standstill in pushing forward on a task or a bug or a request can force you to seek out new information or a second opinion.

Slow solutions, on the other hand, is kind of sneaky. Its insidious. Slow solution is related the Sunk Cost Fallacy, but maybe worse. Slow solutions have you constantly dripping more of your time, energy, and hope into a path that's still unproven, constantly digging a hole. Slow solutions are deceptive, because they still do offer real progress. It is hard to justify abandoning it or trying another route, because it is "working", technically.

We tend to romanticize the late night hacking…

Finding "One Game A Month"

I was really excited about the One Game A Month challenge as soon as I heard about it.
For about two years I've struggled in fits and starts to make my way into game development. This hasn't been productive in any of the ways I hoped when I started. Its really difficult to be fairly experienced as a developer, which I believe I am in my day job as a web developer, while struggling really hard at an area in which your experience just doesn't exist.
Its like being a pilot who doesn't know how to drive.

But this challenge provided a new breath to this little hobby of mine. It gave me a scaffolding to experiment, to learn, to reflect on finished projects. I had spent far too much time on game projects that stretched on far past their exciting phases, bogged down by bad decisions and regret.
And it has worked.
I have a lot to learn. I have a lot of experience to gain through trial and error and mistake and discovery. I have a lot of fun to be had making more small games t…