Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Dominic Lipinski/PA Wire

Those shortened URLs you shared aren't as safe as you think

If you shared ones linked to private files, then you could have a problem.

SHORTENED URLS MIGHT be more convenient to share, but they can end up being a problem if you used them to share private files.

Two security researchers found that short URLs are susceptible to brute-force attacks (repeated trial and error attempts to crack a password or account), which could lead to personal data being revealed.

The URLs tested involved Google, Microsoft, and Yahoo!, all of them having used bit.ly for sharing files saved online and map directions. The issue is that even if you shared links to these services privately, there’s a greater chance of someone stumbling upon them than a normal URL.

With shortened URLs averaging around six characters, anyone willing to put the time and energy into creating a program that guesses them create a database of working ones and access them.

The researchers say that uncovering them could allow an attacker to overwrite files, spread malware on people’s computers through Microsoft’s OneDrive accounts or find out who requested directions from their home to places like clinics through Google Maps, Bing Maps or Yahoo! Maps.

Google Maps 2 In short URL links linking to Google Maps, the researchers found directions from people's homes to sensitive locations like clinics. Google Maps Google Maps

Sensitive information

In one instance, they were able to uncover the full name, address, and age of a young woman who shared directions to a planned parenthood facility in the US.

While they discovered private files through this method, the researchers didn’t access any of them or share them in the paper.

When it informed Microsoft and Google of the flaws back in May and September 2015 respectively, Microsoft removed the shorten link option from OneDrive last month but told the researchers they didn’t consider their report a security vulnerability.

Google lengthened its short URLs to 11 or 12 character tokens, making them no longer vulnerable to brute-force scanning.

While that was fixed, the paper concludes that the best way to approach shortened URLs is to assume they’re “effectively public”.

“Solving the problem identified in this paper will not be easy since short URLs are an integral part of many cloud services and previously shared information remains publicly accessible (unless URL shorteners take the drastic step of revoking all previously issued short URLs),” it concluded.

Read: Apple expects any new iPhone you buy to last three years >

Read: If you still have Apple QuickTime on your PC, you need to uninstall it asap >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Author
Quinton O'Reilly
View 7 comments
Close
7 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds