Shorter Isn’t Always Better
There is a potential risk that URL shorteners might have if they are used. Security researchers have found out that shortened URLs can be used to expose personal data and private details by anyone who might feel the need to look.
URL shorteners are a simple and useful way of sharing links. However, the new security research shows that these new shortened links might just expose your personal data and private information.
A new report which was released from Cornell Tech showed that normally some concern is supposed to be shown for the URL shorteners. The two researchers involved, Martin Georgiev and Vitaly Shmatikov, looked at abbreviated website links by big companies such as Google, Microsoft and bit.ly and found the issue from there. After an analysis of more than a million shortened links, the team found out that if they randomly generated the website addresses they could get the information which was behind the addresses.
An example is that of the standard Google Maps URL which usually takes up to 150 characters. The shorteners however for simple use provide a six character alternative. However because six characters are involved it makes it easy to break using simple trial and error methods. This enables the hacker to see a user’s previous mapping requests and also exposes cloud storage activity. In particular, the two researchers were able to see that links which were related to Google Maps and stored on Microsoft’s cloud storage, OneDrive were usually shared with short URLs.
The research also showed that it would be possible for the shortened URLs to be used as a way to add malware and some other malicious components to the cloud folders, which in turn would be synced with the computer.
It’s A Numbers Game
The same way that hackers brute force passwords by trying many different combinations all at once, is the same method that they can also use to try and find a shortened URL on servers. The URL shorteners usually make the 6-8 characters for the URL to make it look unique. But the fewer the number of characters, the easier it is for hackers to brute force the URL to give up its unique characters.
According to the research, of the 42 million short URLs which were scanned, around 3,000 of them led to publicly accessible OneDrive folders. Such folders can be easily exploited if people see it, according to the research.
At the end of the report, Georgiev and Shmatikov, noted the two contradictory ways that Microsoft and Google handled the news. Google is said to have doubled the character length and said, they appreciate any efforts which contribute to the safety of the Google Maps and any other Google products.
Microsoft on the other hand said the issue does not warrant an MRSC case. They did however remove the shortened function on OneDrive.
As always, we suggest getting a good VPN which will help protecting your privacy and security in most cases.