Shortened URLs Can Let Hackers Spy on You: Study

According to two researchers at Cornell Tech, while URL shortening tools may be useful, the short length makes it simple for hackers to brute force them, potentially exposing private information or even infecting cloud storage accounts with malware.

According to the researchers Martin Georgiev and Vitaly Shmatikov, it is possible to brute force shortened links from tech companies such as Google, Microsoft, and bit.ly that generate a Web address with only six seemingly random characters. The two researchers were able to use the trial and error method to discover Google Drive and Microsoft OneDrive files shared by short URLs. They also claim that out of their scanned accounts, around 7 percent of the OneDrive and Google Drive accounts were vulnerable in such way.

It was also possible to break inside a shortened Google Maps URLs that often contained routes between two private addresses, potentially leading to huge privacy issues. Some Maps links even contained details about users' medical facilities and places of worship.

The duo explained that Microsoft used Bit.ly service to generate short URLs for OneDrive files and folders. The researchers randomly generated 71 million OneDrive short URLs, out of which 24,000 were legitimate and let them access private files and folders. They even said that by opening the full length URL from the shortened ones, they could then tweak the Web address to access different folders by the same user.

"If someone wanted to inject a lot of malicious content into people's computers, it's a pretty interesting way of doing it," Wired quoted Shmatikov. "By scanning you can find these folders, you put whatever you want in them, and it gets automatically copied to people's hard drives."

For the search giant Google, the researchers said its Maps service like OneDrive used Bit.ly-generated shortened URLs that included shared locations and directions. They randomly generated 23 million shortened Google Maps URLs only to find that a massive almost 10 percent of them directly opened actual directions. The researchers said they could find directions requested by users to clinic for specific diseases, addiction treatment centres, abortion providers and more. Over 16,000 directions showed one end as the residence of the user.

They could even illustrate the level of threat caused by shortened Google Maps URL by pin pointing one of the users, identifying it as a young woman who shared directions to a Planned Parenthood facility, confirming her residence address, full name, and age as well.

Georgiev and Shmatikov started this research almost a year ago and notified Google about it in September last year. The company then responded by increasing the length of the URLs to 11 or 12 randomised characters, making them much harder to crack by brute force. The search giant even took measures to identify and block automated scanning of shortened URLs.

When the researchers approached Microsoft in May last year, the Redmond-based tech giant initially ignored the concerns but by last month removed the URL shortening feature from OneDrive. However, the researchers still say they could still successfully access all the identified vulnerable links. The detailed research study can be found here.