30M protected links exposed by ‘safe’ link-sharing provider


A safe linking service accidentally leaked millions of links that were meant to be private and exposed who created them. Malicious bots wasted no time in exploiting the vulnerability.

When sharing links, it's crucial to control who can access the data. Safe linking services are created for this purpose.

These services allow you to create protected links with various safety controls, such as passwords, PINs, IP address limitations, or real-time URL scanning, to secure access and protect users from malicious links.

ADVERTISEMENT

Microsoft and Google integrated safe linking to their products long ago. For those who do not subscribe to the tech giants' solutions, there are platforms on the internet that provide similar services. However, using third-party services can pose risks, particularly when human error occurs.

This is what happened to Safelinking.net, a platform designed to protect and manage links. On August 5th, the Cybernews research team discovered that it had publicly leaked a tremendous amount of user data that was supposed to be protected.

Apart from making 30 million private links public, the platform also exposed the account data of over 156,000 users.

What data was leaked?

  • Usernames
  • Emails
  • Encrypted password with salt and API hashes
  • Notification settings
  • Security settings associated with the links
  • Social media account IDs
  • Protected links
Safelinking data leak

Malicious bots find the data

The leak was caused by a poorly configured and passwordless MongoDB database. After investigating the leak, the research team discovered traces of malicious bots that had already targeted the unprotected database.

ADVERTISEMENT

Misconfigured MongoDB databases are often targeted by automated bots, which insert README notes with a ransom demand. If the database owner does not pay the ransom, the bots destroy the database's content by sending a “delete” command.

Such a note was discovered in the leaked database belonging to Safelinking. The note demanded payment of 0.0057 BTC, which at the time of publishing, was nearly $660. “In 48 hours, your data will be publicly disclosed and deleted,” reads the ransom note.

Following the ransom demand, a malicious bot destroyed the open database, which is now not publicly available. We have contacted the company for a comment, but we have yet to receive a response.

Safelinking data leak

Free access to sensitive data

Notification settings, social media account IDs, and API hashes are considered to be sensitive data, as is the collection of millions of links that were meant to be secure.

"It's a good reminder of why it's so important to have solid security measures in place for platforms handling this type of data,” said the Cybernews research team.

“Even if the platforms sometimes fail to secure users' privacy, it's good to know basic security hygiene, like using multi-factor authentication.”

While the team did not inspect the information behind the links, it's very likely that at least some of them contained private and sensitive information. It is a common practice to share such data using safe links with access control.

Safelinking data leak
ADVERTISEMENT

Safe links are often used to give access to healthcare information, paid e-learning material, private photos, and websites under development. They’re also convenient for sending invoices, requesting payment, or transferring job-related internal documents.

In this case, threat actors may have used the leaked links to access private or sensitive content and exploit it for identity theft.

Exposed account details, such as usernames, emails, and social media account IDs, may be used for phishing attacks, which can lead to further reputational and financial damage.