Shortened URLs From Bit.Ly And Goo.gl Pose Security Threat, Reveal Cloud Data
If like me, you're more inclined towards web-minimalism and instead of pasting the tediously longish permalink, prefer to go with one of the many popular URL shortening tools, you might be opening your little cyber doors and windows to hackers. Two researchers at Cornell Tech, Martin Georgiev and Vitaly Shmatikov, were able to demonstrate successfully how easy it is for hackers to brute force a shortened URL, via which they may access your private information and even infect your cloud storage accounts with malware.
URL shortening tools provided by tech companies like Google and Microsoft are undoubtedly useful, replacing the existing permalink with a random six-digit web address. The researchers employed a trial and error method to discover user's private files stored in Google Drive and Microsoft OneDrive shared by the shortened URLs. They state that out of the many accounts they went through, approximately seven percent of OneDrive and Google Drive were jeopardized this way.
During the experiment it was discovered that the shortened Google Maps URLs could be easily broken, revealing the route between two private addresses, thus breaching the user's privacy. Some map links gave out details like a user's hospital address, his place of worship, abortion clinics, and for some scaringly their home addresses even.
Researchers used Microsoft's Bit.ly service, that the company uses to generate short URLs for OneDrive files and folders, to create 71 million OneDrive short URLs. Out of these, 24,000 were legal and allowed them to access private files and folders. They claimed that by opening the longform web-address through the shortened one, they were even able to alter web address to access different folders and files created by the same user. Once these folders are accessed, hackers may inject any malicious content into them and they'd automatically be copied in the user's hard drive.
For Goo.gl, they revealed that out of the 23 million randomly created short-URLs of Google Maps, they were surprised to find that about 10 percent of them opened up actual navigated directions. The duo were able to illustrate the level of threat by sampling a woman who visited a Planned Parenthood facility, accurately confirming her complete name, age and residential address. Scary!
Georgiev and Shmatikov began their experiment last year, and notified Google about it in September. Google acted responsibly and increased the URL length to 11 or 12 digits, making it difficult to crack by force. the company even initiated preventive measures to identify and block auto-scanning of short web addresses. Microsoft had earlier ignored the researchers' concern, but removed the URL shortening tool from OneDrive earlier last month. The existing vulnerable links are still accessible though.
You may go through their detailed study in their report here - #-Link-Snipped-#.
URL shortening tools provided by tech companies like Google and Microsoft are undoubtedly useful, replacing the existing permalink with a random six-digit web address. The researchers employed a trial and error method to discover user's private files stored in Google Drive and Microsoft OneDrive shared by the shortened URLs. They state that out of the many accounts they went through, approximately seven percent of OneDrive and Google Drive were jeopardized this way.
During the experiment it was discovered that the shortened Google Maps URLs could be easily broken, revealing the route between two private addresses, thus breaching the user's privacy. Some map links gave out details like a user's hospital address, his place of worship, abortion clinics, and for some scaringly their home addresses even.
Researchers used Microsoft's Bit.ly service, that the company uses to generate short URLs for OneDrive files and folders, to create 71 million OneDrive short URLs. Out of these, 24,000 were legal and allowed them to access private files and folders. They claimed that by opening the longform web-address through the shortened one, they were even able to alter web address to access different folders and files created by the same user. Once these folders are accessed, hackers may inject any malicious content into them and they'd automatically be copied in the user's hard drive.
For Goo.gl, they revealed that out of the 23 million randomly created short-URLs of Google Maps, they were surprised to find that about 10 percent of them opened up actual navigated directions. The duo were able to illustrate the level of threat by sampling a woman who visited a Planned Parenthood facility, accurately confirming her complete name, age and residential address. Scary!
Georgiev and Shmatikov began their experiment last year, and notified Google about it in September. Google acted responsibly and increased the URL length to 11 or 12 digits, making it difficult to crack by force. the company even initiated preventive measures to identify and block auto-scanning of short web addresses. Microsoft had earlier ignored the researchers' concern, but removed the URL shortening tool from OneDrive earlier last month. The existing vulnerable links are still accessible though.
You may go through their detailed study in their report here - #-Link-Snipped-#.
Replies
You are reading an archived discussion.
Related Posts
At a glittering ceremony in India LG Electronics recently launched K series smartphones K7 and K10, first ones to be manufactured entirely in the country at a fully-automated plant based...
A team of neuroscientists and engineers got together at Battelle to develop a smart device called 'NeuroLife' that can let paralyzed people make complex movements such as playing a video...
Hi Amigos!
I am Shubhi, Computer Science engineering sophomore living in New Delhi.
I love anything that involves creativity. I am a bookworm who loves writing.
I joined CE because...
Cancer, the worlds’ deadliest disease has crippled the human civilization for long, and a proper cure to it is still not in sight. According to the MIT press report, pancreatic...
Heat engines have been an integral part of the industry, ever since the seventeenth century, when Giovanni Branca demonstrated his steam engine to the world. Thermodynamically speaking, a heat engine...