Shopclues is an Indian unicorn ecommerce marketplace. Every user who places an order on Shopclues receives a text message with a link to track the order.
The short links e.g. — http://sclu.es/3zlVa http://sclu.es/3zlVa, http://sclu.es/3zlVb, http://sclu.es/3zlVc were actually serially iterable, , .. etc are all valid links which reveals name, phone numbers, email, home address, order details of Shopclues users. A simple script to iterate over all of them can be written as follows:
We reported this to Shopclues in the first week of March 2017. We received no acknowledgment email from them. A separate email sent to their cofounders did not receive any response. We rechecked the issue on 20 March and it was not fixed but we found it fixed on 3 May 2017. The URL now asks for email id & phone number to confirm that the request is made by the authorised user.
As a developer its important to understand that you do not keep sensitive and private data behind short links without authentication — how short are short links, you ask? Lets do a little math to understand this, if the code is 6 alphabets long (all caps), we have these many possibilities:
You may think that this is a huge number, no one can guess any random link. And that would be correct except that depending on how many links you have generated till now, the guessability of links goes on increasing. Lets say you are an E-commerce website which has generated 1 million short links. Now if you divide:
On an average, with every 308 wrong guesses one will be able to guess a correct link. So, if you decide to put user personal sensitive data behind short links which can be accessed by anyone without authentication, think again.
The vulnerability in case of Shopclues was even more severe as they didn’t even randomize the short links (though it does look gibberish if you just look at a single link and not a bunch of links together), they have merely incremented it serially.
Do something to increase the sample space of non-working short links — make the sample space huge that it makes the guessing (almost) impossible.
Try a combination of these: