Now we have a new rule: don’t use one to share personal documents or information which may compromise your privacy.
Most shortened URLs consist of a known service like Bitly followed by strings of 5 to 8 characters, and researchers have found that it is not impossible to randomly guess those strings and get back links to sensitive info.
Do you know how security experts say you’re not supposed to use a short password because it can be guessed? Some URL shortener services have that exact same problem (or at least they did).
For example, the researchers found that users are sharing links to OneDrive which lead to documents anyone can edit:
We show how to use short-URL enumeration to discover and read shared content stored in the OneDrive cloud, including even files for which the user did not generate a short URL. 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them. Since cloud-stored files are automatically copied into users’ personal computers and devices, this is a vector for large-scale, automated malware injection.
The researchers also found that once they had a link to a file in a OneDrive account, they could traverse the account and find other public files, thus compromising an entire account through one lapse in security.
Fortunately the trick the researchers used no longer works, but this is no guarantee that a hacker won’t find other tricks. So caveat emptor.
The researchers also identified a problem with Google Maps’ own URL shortener. Google is now using 11 character strings for any URL shared via Google Maps, but at the time the researchers were investigating the service Google Maps was only using a 5 character string on shortened URLs.
Again, the researchers found one could guess at shortened URLs and find valid links, including to personally identifiable info:
The endpoints of driving directions shared via short URLs often contain enough information to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom. Fine-grained data associated with individual residential addresses can be used to infer interesting information about the residents. For instance, we conjecture that one of the most frequently occurring residential addresses in our sample (see Figure 4) is the residence of a geocaching enthusiast. He or she shared directions to hundreds of locations around Austin, TX, many of them specified as GPS coordinates. We have been able to find some of these coordinates in a geocaching database.
You can find the full report here.
The report is scary reading, but rather than getting bogged down in the details, I think we should instead consider what we can learn from this report.
My takeaway is that now is a good time to make sure that our cloud storage accounts are secure. Yes, this report focused on OneDrive and didn’t say anything about other services, but I’d rather secure my accounts now than learn about a security flaw after the fact.
Also, we need to be more aware of how easy it is to guess a shortened URL from the services we use. Twitter, for example, now uses a 10-character string consisting uppercase, lowercase, and numbers. At 62^10, that’s 839 quadrillion possible combinations. Amazon’s URL shorterner, on the other hand, only leads to Amazon links so its 7-character string is relatively safe – but easy to guess, so you might want to be careful about sharing links to sex toys and the like.
Those are just two of the many tech companies with their own URL shorteners. Each one needs to be evaluated in terms of security and any service which is not secure should be avoided.
Basically you should ask yourself if you would feel safe using the string from a shortened URL as your secure password. If the answer is no then you should not use the service that gave you the shortened URL, either.