So far there’s no evidence that hackers have taken advantage of the exposure to access accounts without permission.
Bitly is the go-to URL shortener for Twitter posts in particular, where every character counts. The service is free to use, but users can sign up to track the metrics on what links were clicked at what time, as well as automatically connect to Facebook and Twitter from within the application.
Although Bitly hasn’t seen malicious activity, it has taken the precaution of disconnecting all users’ Facebook and Twitter accounts; users can reconnect them at their next login.
“We invalidated all credentials within Facebook and Twitter,” wrote Mark Josephson, CEO at Bitly, in a blog. “Although users may see their Facebook and Twitter accounts connected to their Bitly account, it is not possible to publish to these accounts until users reconnect their Facebook and Twitter profiles.”
The company also urged people to change their API keys and OAuth tokens, and reset their passwords. Users should copy down the new API key and change it in all applications as well, including social publishers, share buttons and mobile apps.
Josephson didn’t provide details as to what the compromise actually was, saying only that Bitly has “already taken proactive measures to secure all paths that led to the compromise and ensure the security of all user data going forward.”
It’s unclear whether the issue is related to the flaw found to affect almost all major OAuth 2.0 and OpenID providers, such as Facebook, Google, Yahoo, LinkedIn, Microsoft, GitHub, QQ, Taobao, Weibo, VK, Mail.Ru and Sohu. Jing Wang, a doctoral student in mathematics at the Nanyang Technological University in Singapore, discovered a covert redirect vulnerability that could lead to open redirect attacks to both clients and providers of OAuth 2.0 or OpenID. For OAuth 2.0, these attacks might jeopardize the token of the site users, which could be used to access user information.