Feeds

TinyURL, your configs are showing

Twitter pal leaves server wide open

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

TinyURL - the site that converts unwieldy web addresses into short, manageable URLs - has been caught running a server so poorly configured it represents a serious risk to its millions of trusting users, a security expert is warning.

At time of writing, the site's PHP module was actively broadcasting dozens of sensitive configuration settings. The information, which includes the web server's IP address, operating system and web application server, are all included, making the job of penetrating the widely-used service that much easier.

Even more remarkable, the server user is listed as root, and its group is wheel. These so-called "god" settings would allow anyone who is successful in breaking into the box to maximize the damage that could be caused. Even novice server admins know they should run the server in a setting known as "nobody" or something similar, which protects sensitive parts of the server from tampering.

Screenshot of TinyURL configuration settings

"This is the epitome of bad-practice," security consultant Rafal Los told The Register a few hours after publicly disclosing the misconfiguration on his blog. "Why would you want to run a web service as 'Administrator' because if I figure out a way to jack that service, I completely, 100% own that machine."

Los said he sent email to TinyURL addresses on Wednesday morning California time but never received a response. Emails The Register sent to various addresses, including one belonging to the site's founder, Kevin Gilbertson, weren't returned at time of writing. We'll be sure to update this story if we hear back.

The site's sloppy administration is much more than a mere curiosity. Because TinyURL significantly shortens long URLs, it's impossible it can be difficult for some end users to know where one of the site's links leads until they click on it. That makes the site the perfect vector for sending people to websites used in spam, malware attacks and other online scams. TinyURL's popularity has skyrocketed in the past year as it became the main way people on Twitter to share links.

The misconfiguration came to light through the collective sleuthing of Los and several readers of his blog. After noticing some strange errors in Twitter posts made by Fox News, Los originally suspected flaws in the online microblogging site. With the help of a user named Mubix and others, they quickly realized the errors were the result of poor practices at TinyURL. ®

Update

About four hours after this story was published, Gilbertson responded with the following statement: "That security 'expert' sure doesn't know how to read that. No daemons are run under an administrator or root user."

This story was corrected to reflect that it's not impossible to know where a TinyURL link leads. The site offers a preview feature.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.