Short URLs are great when they lead to public websites, and documents and files that aren’t meant to remain private, but you should think twice about using them to lead collaborators to content that’s meant only for their eyes.
“URLs created by many URL shortening services are so short that the entire space of possible URLs can be scanned or at least sampled on a large scale,” researchers Martin Georgiev and Vitaly Shmatikov pointed out in their research paper.
They proved this claim by checking out URLs created through the integrated URL shortening services in the Microsoft OneDrive cloud storage service and Google Maps.
“We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary), but we sampled enough to discover interesting information and draw important conclusions,” Shmatikov shared in a blog post.
In the case of OneDrive, they found files (ethical concerns prevented them from analyzing their content) and a way to get to other files in the accounts. They also found that 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them, making it possible for attackers to upload malware.
“Since cloud-stored files are automatically copied into users’ personal computers and devices, this is a vector for large-scale, automated malware injection,” they explained.
In the case of Google Maps, they found directions that users shared with each other, and which could be used to discover information about the users, including their identities, home addresses, and potentially sensitive locations they visited (e.g. specialized medical institutions).
Their findings were disclosed to Microsoft and Google. The latter responded promptly and made newly created short URLs to Google Maps consist of 11 or 12-character tokens.
Microsoft, on the other hand, did not immediately admit that there was a problem. Still, they recently removed the “shorten link” option from OneDrive, and changed the API that allowed the researchers to root through accounts once they found their way in.
“We suggest five approaches to mitigate the vulnerabilities identified in this paper: (1) make short URLs longer, (2) inform users about the risks of URL shorteners, (3) do not rely on universal URL shorteners, (4) employ CAPTCHAs or other methods to separate human users from automated scanners, and (5) design better APIs for the cloud services that use short URLs,” they concluded.