Skip to content
#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Image: Dominic Lipinski/PA Wire

Those shortened URLs you shared aren't as safe as you think

If you shared ones linked to private files, then you could have a problem.
Apr 15th 2016, 4:49 PM 16,319 8

SHORTENED URLS MIGHT be more convenient to share, but they can end up being a problem if you used them to share private files.

Two security researchers found that short URLs are susceptible to brute-force attacks (repeated trial and error attempts to crack a password or account), which could lead to personal data being revealed.

The URLs tested involved Google, Microsoft, and Yahoo!, all of them having used bit.ly for sharing files saved online and map directions. The issue is that even if you shared links to these services privately, there’s a greater chance of someone stumbling upon them than a normal URL.

With shortened URLs averaging around six characters, anyone willing to put the time and energy into creating a program that guesses them create a database of working ones and access them.

The researchers say that uncovering them could allow an attacker to overwrite files, spread malware on people’s computers through Microsoft’s OneDrive accounts or find out who requested directions from their home to places like clinics through Google Maps, Bing Maps or Yahoo! Maps.

Google Maps 2 In short URL links linking to Google Maps, the researchers found directions from people's homes to sensitive locations like clinics. Source: Google Maps

Sensitive information

In one instance, they were able to uncover the full name, address, and age of a young woman who shared directions to a planned parenthood facility in the US.

While they discovered private files through this method, the researchers didn’t access any of them or share them in the paper.

When it informed Microsoft and Google of the flaws back in May and September 2015 respectively, Microsoft removed the shorten link option from OneDrive last month but told the researchers they didn’t consider their report a security vulnerability.

Google lengthened its short URLs to 11 or 12 character tokens, making them no longer vulnerable to brute-force scanning.

While that was fixed, the paper concludes that the best way to approach shortened URLs is to assume they’re “effectively public”.

“Solving the problem identified in this paper will not be easy since short URLs are an integral part of many cloud services and previously shared information remains publicly accessible (unless URL shorteners take the drastic step of revoking all previously issued short URLs),” it concluded.

Read: Apple expects any new iPhone you buy to last three years >

Read: If you still have Apple QuickTime on your PC, you need to uninstall it asap >

Send a tip to the author

Quinton O'Reilly

COMMENTS (8)

    Back to top