Bit.ly url calls embedded in Web AppBuilder! How secure is that?

3820
5
02-21-2017 05:24 AM
DavidWendelken
Occasional Contributor

I noticed that Web AppBuilder includes javascript calls to bit.ly URL addresses.   That seems to me to be very insecure as we have no way of knowing, from one day to the next, what website is being masked by that call to bit.ly.

Is Esri aware that its developers have embedded bit.ly URLs in its web code?

Who owns the Bit.Ly web addresses being used?  Does Esri own them?  Or some random developer?

Whomever has the access to that bit.ly address could redirect our calls to a webpage that captures information and then relays the request to the correct Esri URL to return the correct values.  That would be a classic man-in-the-middle attack, except that Esri would be culpable for helping them do it.


0 Kudos
5 Replies
DerekLaw
Esri Esteemed Contributor

Hi David,

> Is Esri aware that its developers have embedded bit.ly URLs in its web code?


Yes, we are aware of this and this functionality is by design. Esri has an agreement in place with Bitly and we use them as our provider for shortening URLs. FYI, we only use the shortener for publicly shared information items. We do not include any token info in the URLs. We hope this alleviates your concerns.

Hope this helps,

DavidWendelken
Occasional Contributor

There were references to both Bit.ly and also Bitly.com.    ESRI is using both services for this purpose?  That seems odd.   And why on earth does your hard-coded software url need a url shortener?  

Second, we use the Portal in a stand-alone, not connected to the internet manner on our own private network.

The installation instructions for webappbuilder in this arrangement do not include instructions on how to adapt the software components that use these web addresses.

What do we do to make this work so the entire product works as intended?    Failing that, precisely what functionality have we lost because of this "feature"?

0 Kudos
DerekLaw
Esri Esteemed Contributor

Hi David,

> There were references to both Bit.ly and also Bitly.com. ESRI is using both services for this purpose?

FYI, Bitly.com is the name of the company, and "Bit.ly" is the short URL to shorten URLs.

Bitly - Wikipedia 

> And why on earth does your hard-coded software url need a url shortener?

We provide this functionality to enable users to reference their web maps, apps, etc. on Twitter for example.

> The installation instructions for web appbuilder in this arrangement do not include instructions on how to adapt the software components that use these web addresses.

Portal for ArcGIS includes an embedded version of Web AppBuilder for ArcGIS and there are no additional configuration steps needed to make it work. Once you install Portal, it should work out of the box. There is also Web AppBuilder for ArcGIS Developer Edition - which does require configuration with Portal.

FYI: This URL shortening capability is available in both Portal for ArcGIS (e.g., when you create web maps and apps). You can disable it in Portal by setting the advanced configuration options,

Set advanced portal options—Portal for ArcGIS (10.5) | ArcGIS Enterprise.

In Web AppBuilder for ArcGIS, the functionality is accessed via its Share widget.

Hope this helps,

DavidWendelken
Occasional Contributor

Thanks!  I'll start digging thru those references!

0 Kudos
HannahGray
New Contributor II

I'm using ArcGIS Online and trying to publish a survey to embed in a dashboard, when I started this yesterday the surveys had the full URL ("https://survey123.arcgis.com/share/....." now they are a shortened version which doesn't seem to work with some of the URL parameters I'm trying to set. Is there anyway to disable this? 

0 Kudos