URL shorteners are great for packaging links that you want to share on blogs, social networks and messaging services. Unfortunately, they can pose grave security risks, as two researchers discovered in a study spanning 18 months (PDF).
Vitaly Shmatikov of Cornell Tech, in collaboration with visiting researcher Martin Georgiev, looked at the URL shortening methods used by Microsoft in its OneDrive cloud storage app, as well Google in its Maps service.
What they found was pretty damn scary. They noted that Microsoft used Bitly’s service to generate short URLs linking to users’ OneDrive files and they had a predictable structure.
This made it easy to look at the full URL for a single file and then discover other files shared by the same user.
And not only did they manage to find files including some containing sensitive information, but they also noticed that a small percentage of them were write-enabled. This means that they could inject malware and viruses into those files with ease.
When looking at Google Maps links, Shmatikov and Georgiev said that they were able to scan URLs with five-character tokens and see people’s locations and destinations.
It may seem like they’d only ever come across random information this way, but they were able to uncover things like a user seeking directions from a residence to a planned parenthood facility, along with her full name and age.
Thankfully, both services have amended their link shortening methods after the researchers alerted them about the issues. They said that Google responded immediately and implemented 11-12 character tokens for its Maps links as well defenses to prevent bots from scanning its URLs.
Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service. However, it disabled its link shortening option in OneDrive last month, but maintains that its decision wasn’t related to the issue highlighted by the duo.
Does that mean companies should stop offering URL shortening services? Shmatikov noted that they should explicitly warn users that creating a short link to a file potentially exposes it to unintended third parties.
There are ways to make them safer: using in-house resolvers instead of public services like Bitly, keeping bots from scanning links by using methods like CAPTCHAs, and developing robust APIs that don’t make it easy to uncover all files shared by a user just by finding a single URL.