According to a new report released out of Cornell Tech, we should be showing some concern over the use of URL shorteners. Martin Georgiev and Vitaly Shmatikov discovered the issue after looking at the abbreviated web addresses used by companies like Google, Microsoft and bit.ly. After analysing millions of bit.ly generated short URLs, the duo found that randomly generating the addresses allowed them to access the content behind them. For instance, the standard Google Maps URL takes up around 150 characters, but for simple use, the product provided a six-character alternative. However, a combination of six-characters is small enough that it’s possible to break simply with trial and error, exposing your cloud storage files and mapping requests to the world. In particular, Georgiev and Shmatikov were able to find that the links related to Google Maps data and documents stored on Microsoft’s OneDrive were shared with short URLs. The researchers also said it would be theoretically possible to add malware and malicious documents to OneDrive folders, which would then automatically synced to a user’s computer. Much like how attackers can brute force a password by hurling hundreds or even thousands of password attempts against a hash for hours, they could use related method to find all the shortened URLs on a particular service. URL shorteners typically generate 6 – 8 random characters at the end of their URLs to make them “unique”, but because so few characters are actually used, it makes the job of brute force attackers a whole lot simpler. According to the research, just over 3,000 of the 42 million short URLs scanned, led to publicly-accessible OneDrive folders. The researchers warn that such a folder could be easily exploited, once people find it. The researchers at the end of the paper disclose the contradictory ways in which Google and Microsoft handled the news of the hack. Google doubled the character length and later told WIRED that it “appreciate contributions to the safety of Google Maps and Google products.” In the meantime, Microsoft is cited by the researchers as saying that the vulnerability “does not currently warrant an MRSC case,” even though did quietly remove the shorten link function within OneDrive . However, it is no comfort to existing users who still remain exposed. Source: ArXiv
