Researchers Crack Short URLs – Find Sensitive Data

I have never been a fan of shortened URLs like , but mostly for security reasons.  If I click on that link, I have no idea what web site I am going to – whether it is malware laced or contains inappropriate content.  Now there is another reason – privacy.

Researchers at Cornell Tech, the tech focused campus of Cornell University in New York City,  have demonstrated that the shortened URLs used by companies like Google, Microsoft and represent a privacy problem as well.

The researchers, using brute force, found ways to spread malware, see who asked for directions to an abortion clinic or drug addiction treatment facilities and modified files that they found.  They were looking at the services that only used a 6 character URL, but 8 character URLs just have a larger address space.

In the case of Microsoft, the researchers tested 71 million possible URLs and found 24,000 that worked, pointing to shared files and folders.  Not only could they see those files and folders, in some cases they could edit them and in other cases, they were able to slightly tweak the resultant URLs to find other files.

And, thanks to the cloud synchronization features provided by many of the cloud vendors, if they can edit the files to add malware, when that file gets synched to a user’s device, the malware gets automatically loaded on that device.  Pretty neat trick.

The researchers also tried this with Google Maps.  By generating 23 million shortened URLs, they found about 2 million active maps.  Those maps, in many cases, included both ends of the trip – say your house and a drug treatment center, jail, topless bar or other sensitive information.  While they did this with Google, it also worked with Mapquest, Bing Maps and Yahoo Maps.

After the researchers talked to Google, Google lengthened their short URLs to a not so short 11 or 12 characters instead of 6 or 8 and also added some detection capabilities for mass scanning.

Microsoft, apparently, brushed the researchers concerns off last year, but last month, they began removing shortened URLs altogether.  Microsoft said that as part of their effort to improve usability and features, they began removing shortened URLs.  However, all of the links that they found still work.  Sounds like they finally understood the risk.

One thing that users of shortened URLs probably don’t understand is how long those links remain live.  If you share something with someone and you know that the link will only work for 24 hours, that is probably a small risk.  On the other hand, if it will continue to work for years, that is probably a much larger risk.  obviously, the sensitivity of the data is a critical factor as well.

Also, some – but not all – providers enable you to require users to authenticate themselves prior to gaining access to whatever is behind the shortened URL.  That is probably the best situation.

I think what is important is to understand that in most cases, with shortened URLs, if someone has the URL, they can access the data.  Whether they got that URL by looking at someone’s email or by randomly trying different URLs, the result is the same.  If that is NOT a problem, then go for it.  If that is a problem, then figure out a different way to share the information.




Information for this post came from Wired.

Leave a Reply

Your email address will not be published. Required fields are marked *