Security Researchers Give You A Good Reason Not To Use Shortened URLs
A shortened URL is so much easier to work with, especially for those who like brevity of things or struggle with keyboard shortcut options. You can think again.
What seems to be a convenient service is actually the doorway for malware infecting the systems or your confidential data getting exposed, say Cornell Tech computer scientists Martin Georgiev and Vitaly Shmatikov, who have now made their findings public.
The researchers came across this issue while looking at the shortened web addresses used by leading technology players like Google, Microsoft, and Bit.ly. Almost 18 months ago, Georgiev and Shmatikov noticed that Microsoft OneDrive and Google Maps generated web addresses that seemed to have six random characters, through Bit.Ly's URL shortening service.
That would be enough for hackers of the world to slap their hands together and start analyzing the millions of possibilities of generating the shortened URLs until they hit upon the real thing. "With a decent number of machines you can scan the entire space," says Shmatikov. "You just randomly generate the URLs and see what's behind them."
Microsoft, for instance, had the shareable files and folders made up of shortened URLs residing on the OneDrive storage platform and deemed them to be private and secure. This theory was proved wrong by the researchers when they generated about 71 million random short URLs directed at the OneDrive content and hit upon 24,000 live working files and folders. The researchers claim they never accessed the files, but any unscrupulous hacker can take undue advantage of such a flaw. Around 7 percent of the content were editable by anyone who visited the pages.
The Cornell Tech duo also pointed out a synchronization feature that leads any malware directly to an unsuspecting user's PC. "If someone wanted to inject a lot of malicious content into people's computers, it's a pretty interesting way of doing it," they warned. "By scanning you can find these folders, you put whatever you want in them, and it gets automatically copied to people's hard drives."
Similarly, the scientists also broke through people's apparently private information like medical details, juvenile detention facility visits, and other such confidential data. In this case, around 23 million random short Google Maps URL generation made the researchers privy to such private, personal details, and all because the shortened Google Maps URLs generally contain direction codes between two (seemingly) confidential addresses.
When the pair contacted Google with their findings, the company responded immediately by increasing the length of their URL characters to 11 or 12, up from the dreaded six. Microsoft, on the other hand, had dismissed the whole thing initially but later removed the URL shortening feature from OneDrive to tighten up security.
The researchers say that the aim of sharing their paper [pdf] is to make both companies and people more aware of the vulnerabilities their systems are exposed to. "It's not clear that users understand this," says Shmatikov. "They think they're sharing a document with a collaborator. But if you're sharing a six character shortened URL, you're sharing it with the whole world."
Photo: Alper Çuğun | Flickr