URL shorteners are great for packaging links that you want to share on blogs, social networks and messaging services. Unfortunately, they can pose grave security risks, as two researchers discovered in a study spanning 18 months .
Vitaly Shmatikov of Cornell Tech, in collaboration with visiting researcher Martin Georgiev, looked at the URL shortening methods used by Microsoft in its One Drive cloud storage app, as well Google in its Maps service. What they found was pretty damn scary. They noted that Microsoft used Bitly’s service to generate short URLs linking to users One Drive files and they had a predictable structure. This made it easy to look at the full URL for a single file and then discover other files shared by the same user.
And not only did they manage to find files including some containing sensitive information, but they also noticed that a small percentage of them were write enabled. This means that they could inject malware and viruses into those files with ease. When looking at Google Maps links, Shmatikov and Georgiev said that they were able to scan URLs with five character tokens and see people’s locations and destinations.
It may seem like they’d only ever come across random information this way, but they were able to uncover things like a user seeking directions from a residence to a planned parenthood facility, along with her full name and age.
Thankfully, both services have amended their link shortening methods after the researchers alerted them about the issues. They said that Google responded immediately and implemented 11-12 character tokens for its Maps links as well defences to prevent bots from scanning its URLs.
