Report: That Shortened URL You Just Shared Could Also be a Shortcut to Your Sensitive info
URL shorteners are a great way to clean up long and messy links and share them, but their use comes with a security warning: don’t click on links from people you don’t know/trust.
Now we have a new rule: don’t use one to share personal documents or information which may compromise your privacy.
A new report (PDF) from the Freedom to Tinker Foundation has revealed that the random-looking shortened URL you shared earlier today isn’t nearly as safe or anonymous as one might think.
Most shortened URLs consist of a known service like Bitly followed by strings of 5 to 8 characters, and researchers have found that it is not impossible to randomly guess those strings and get back links to sensitive info.
Do you know how security experts say you’re not supposed to use a short password because it can be guessed? Some URL shortener services have that exact same problem (or at least they did).
For example, the researchers found that users are sharing links to OneDrive which lead to documents anyone can edit:
We show how to use short-URL enumeration to discover and read shared content stored in the OneDrive cloud, including even files for which the user did not generate a short URL. 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them. Since cloud-stored files are automatically copied into users’ personal computers and devices, this is a vector for large-scale, automated malware injection.
The researchers also found that once they had a link to a file in a OneDrive account, they could traverse the account and find other public files, thus compromising an entire account through one lapse in security.
Fortunately the trick the researchers used no longer works, but this is no guarantee that a hacker won’t find other tricks. So caveat emptor.
The researchers also identified a problem with Google Maps' own URL shortener. Google is now using 11 character strings for any URL shared via Google Maps, but at the time the researchers were investigating the service Google Maps was only using a 5 character string on shortened URLs.
Again, the researchers found one could guess at shortened URLs and find valid links, including to personally identifiable info:
The endpoints of driving directions shared via short URLs often contain enough information to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom. Fine-grained data associated with individual residential addresses can be used to infer interesting information about the residents. For instance, we conjecture that one of the most frequently occurring residential addresses in our sample (see Figure 4) is the residence of a geocaching enthusiast. He or she shared directions to hundreds of locations around Austin, TX, many of them specified as GPS coordinates. We have been able to find some of these coordinates in a geocaching database.
You can find the full report here.
The report is scary reading, but rather than getting bogged down in the details, I think we should instead consider what we can learn from this report.
This report found flaws in OneDrive and Google Maps, but it also points to a more general problem with how people are using URL shorteners.
My takeaway is that now is a good time to make sure that our cloud storage accounts are secure. Yes, this report focused on OneDrive and didn’t say anything about other services, but I’d rather secure my accounts now than learn about a security flaw after the fact.
Also, we need to be more aware of how easy it is to guess a shortened URL from the services we use. Twitter, for example, now uses a 10-character string consisting uppercase, lowercase, and numbers. At 62^10, that’s 839 quadrillion possible combinations. Amazon’s URL shorterner, on the other hand, only leads to Amazon links so its 7-character string is relatively safe – but easy to guess, so you might want to be careful about sharing links to sex toys and the like.
Those are just two of the many tech companies with their own URL shorteners. Each one needs to be evaluated in terms of security and any service which is not secure should be avoided.
Basically you should ask yourself if you would feel safe using the string from a shortened URL as your secure password. If the answer is no then you should not use the service that gave you the shortened URL, either.
FTTF via Techdirt, Ars Technica
images by vetaturfumare, ** RCB **, Prayitno
puzzled April 15, 2016 um 6:34 pm
Is your warning about not sharing links to sex toys related to ones you’ve looked at, ones you’ve shared or ones that are controlled through the web?
Nate Hoffelder April 15, 2016 um 7:09 pm
My point was that Amazon’s URL shortener could be brute-forced and the links extracted.
Michael Anderson April 16, 2016 um 7:17 am
My company (Corning) has completely blocked all shortened links and a couple of years ago published an internal security report detailing why … pretty similar to all of this. It can be annoying, but I understand their point and can manage the 30 seconds to figure out the real link.
Nate Hoffelder April 18, 2016 um 11:01 pm
I know of a site that banned the posting of shortened URLs for no good reason (they didn’t trust their users), but this is the first time I heard of a company enacting a ban for security reasons.
It does make a lot of sense, though.