Advertisement

Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Wednesday 4 October 2023 Dublin: 16°C
Dominic Lipinski/PA Wire
# Safety First
Those shortened URLs you shared aren't as safe as you think
If you shared ones linked to private files, then you could have a problem.
16.4k
7
Apr 15th 2016, 4:49 PM

SHORTENED URLS MIGHT be more convenient to share, but they can end up being a problem if you used them to share private files.

Two security researchers found that short URLs are susceptible to brute-force attacks (repeated trial and error attempts to crack a password or account), which could lead to personal data being revealed.

The URLs tested involved Google, Microsoft, and Yahoo!, all of them having used bit.ly for sharing files saved online and map directions. The issue is that even if you shared links to these services privately, there’s a greater chance of someone stumbling upon them than a normal URL.

With shortened URLs averaging around six characters, anyone willing to put the time and energy into creating a program that guesses them create a database of working ones and access them.

The researchers say that uncovering them could allow an attacker to overwrite files, spread malware on people’s computers through Microsoft’s OneDrive accounts or find out who requested directions from their home to places like clinics through Google Maps, Bing Maps or Yahoo! Maps.

Google Maps 2 Google Maps In short URL links linking to Google Maps, the researchers found directions from people's homes to sensitive locations like clinics. Google Maps

Sensitive information

In one instance, they were able to uncover the full name, address, and age of a young woman who shared directions to a planned parenthood facility in the US.

While they discovered private files through this method, the researchers didn’t access any of them or share them in the paper.

When it informed Microsoft and Google of the flaws back in May and September 2015 respectively, Microsoft removed the shorten link option from OneDrive last month but told the researchers they didn’t consider their report a security vulnerability.

Google lengthened its short URLs to 11 or 12 character tokens, making them no longer vulnerable to brute-force scanning.

While that was fixed, the paper concludes that the best way to approach shortened URLs is to assume they’re “effectively public”.

“Solving the problem identified in this paper will not be easy since short URLs are an integral part of many cloud services and previously shared information remains publicly accessible (unless URL shorteners take the drastic step of revoking all previously issued short URLs),” it concluded.

Read: Apple expects any new iPhone you buy to last three years >

Read: If you still have Apple QuickTime on your PC, you need to uninstall it asap >

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Support us Learn More

Author
Quinton O'Reilly
quinton@thejournal.ie
@qoreilly
Send Tip or Correction
Read Next
More Stories
Related Tags
Your Voice
Readers Comments
7
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.