U.S. gov. accidentally publishes own short-URL 'admin' API key

The U.S. government mistakenly published a secret administrator's username and private API key on its short URL website that could have potentially allowed anyone to redirect Web users to malware-ridden pages through the official U.S. government short URL service, ZDNet has learned.

Australia-based self-confessed "Internet geek" Jack Cola discovered that the private API key had been posted on the Go.USA.gov API documentation page, with the username of the administrator's account and the private API key in one of the examples.

This allowed Cola to use the administrator's username without a password, along with the private API key string, to direct users clicking on an apparently legitimate U.S. government shortened URL to a potentially harmful page. 

The API works like this:

http://go.usa.gov/api/{method_name}.{result_format_desired}?login={user_name}
&apiKey={api_key}&{parameters_for_api_method}

By plugging in the appropriate values along with an administrator's login and the private API key, one would think it would be as easy as that? Wrong. The flaw was not as simple as that, and in spite of a little extra legwork to get the API to work from an unauthorized domain name, hackers are clever folk (just in case you didn't know.)

Cola told ZDNet that the API is "pretty smart," and checks to make sure that the short URL is sent from an official U.S. government domain -- such as .gov, .mil, .edu domain names -- for example. He said that many U.S. government websites still use open-redirect pages to direct users outside their websites. 

As ZDNet's Michael Lee reported last week, scammers discovered a way to link scam or phishing sites through the official 1.USA.gov or Go.USA.gov short URL service by a third-party URL shortener, such as Bit.ly. (1.USA.gov is powered by Bit.ly, while the Go.USA.gov is powered in-house.)

The GSA worked with Bit.ly to correct the vulnerability and close the 1.USA.gov loophole that allowed open-redirects and must now go through the Go.USA.gov site -- which is open to U.S. government employees only. However, many of these open-redirects are still in operation, in spite of the malware risk warning by security giant Symantec.

Though this third-party loophole is now closed, it is still possible to use U.S. government open-redirects through the API. But because it is open only to U.S. government employees, it means the Go.USA.gov short URL service is secure and trusted.

Again, wrong.

A GSA spokesperson said: "The API key given as an example is not active," but she was unfortunately misinformed.

Anyone visiting the API documentation page would have been able to curate unauthorized links purporting to be from the official U.S. URL shortening service. While the "admin" username has since been replaced with "test," a Google cache of the page from earlier this month still shows the "admin" account in the example string.

By replacing the {user_name} with admin and {api_key} with 770915505bafb779557abb98
dec929dc, along with a link of your choice appended to the end of a U.S. government open-redirect page, the API believes that the non-official link appears to be coming from a trusted U.S. government domain. No API is that clever, after all.

Here's an example of what it would look like:

http://go.usa.gov/api/expand.json?login=admin&apiKey=770915505bafb779557abb98
dec929dc&shortUrl=http://www.healthandwelfare.idaho.gov/LinkClick.aspx?link= http://www.jackcola.org

As a result, Cola used the service to turn his own webpage -- www.jackcola.org -- into an official U.S. government short URL link -- go.usa.gov/YGmR. At the time of writing, this link was still in operation but may since be removed.

However, within a couple of hours after a Cola informed the U.S. General Services Administration (GSA), the "admin" username was removed from the site, and the private API key has now been changed, and returns the following value:

{"response":{"errorCode":"1105","errorMessage":"Invalid API key","statusCode":"ERROR"}}

Earlier today, when we verified the private API key, it was active and working, and returned a valid server response indicating that the originally published private API key was in fact valid, in spite of the GSA spokesperson's response.

While Cola was kind enough to reach out to ZDNet only after he received confirmation that the vulnerability had since been patched and the private API key changed, if the self-confessed "Internet geek" was clever enough (and lucky to stumble upon it in the first place) to spot it, others may have done, too, including hackers, scammers and malware writers.

"It's a bit embarrassing in what they've done," Cola said.

Yes, yes it is.