15 Apr 2016

Shortened URLs From Bit.Ly And Goo.gl Pose Security Threat, Reveal Cloud Data

If like me, you're more inclined towards web-minimalism and instead of pasting the tediously longish permalink, prefer to go with one of the many popular URL shortening tools, you might be opening your little cyber doors and windows to hackers. Two researchers at Cornell Tech, Martin Georgiev and Vitaly Shmatikov, were able to demonstrate successfully how easy it is for hackers to brute force a shortened URL, via which they may access your private information and even infect your cloud storage accounts with malware.

URL shortening tools provided by tech companies like Google and Microsoft are undoubtedly useful, replacing the existing permalink with a random six-digit web address. The researchers employed a trial and error method to discover user's private files stored in Google Drive and Microsoft OneDrive shared by the shortened URLs. They state that out of the many accounts they went through, approximately seven percent of OneDrive and Google Drive were jeopardized this way.

url shortener

During the experiment it was discovered that the shortened Google Maps URLs could be easily broken, revealing the route between two private addresses, thus breaching the user's privacy. Some map links gave out details like a user's hospital address, his place of worship, abortion clinics, and for some scaringly their home addresses even.

Researchers used Microsoft's Bit.ly service, that the company uses to generate short URLs for OneDrive files and folders, to create 71 million OneDrive short URLs. Out of these, 24,000 were legal and allowed them to access private files and folders. They claimed that by opening the longform web-address through the shortened one, they were even able to alter web address to access different folders and files created by the same user. Once these folders are accessed, hackers may inject any malicious content into them and they'd automatically be copied in the user's hard drive.

For Goo.gl, they revealed that out of the 23 million randomly created short-URLs of Google Maps, they were surprised to find that about 10 percent of them opened up actual navigated directions. The duo were able to illustrate the level of threat by sampling a woman who visited a Planned Parenthood facility, accurately confirming her complete name, age and residential address. Scary!

Georgiev and Shmatikov began their experiment last year, and notified Google about it in September. Google acted responsibly and increased the URL length to 11 or 12 digits, making it difficult to crack by force. the company even initiated preventive measures to identify and block auto-scanning of short web addresses. Microsoft had earlier ignored the researchers' concern, but removed the URL shortening tool from OneDrive earlier last month. The existing vulnerable links are still accessible though.

You may go through their detailed study in their report here - Gone In Six Characters.

Be the first one to reply

Share this content on your social channels -

Only logged in users can reply.