If you think long URLs are difficult to distribute and so plan to post a URL in Bit.ly to shorten it, extreme caution is recommended. A recent research conducted on most commonly used URL shortener sites like bit.ly and goo.gl has revealed how an attacker can gain access to your personal data from a cloud drive due to this modified URL.
URL shorteners such as bit.ly, goo.gl and even Microsoft's 1drv.ms perform the task of turning long URLs into short ones, consisting of a domain name followed by 5, 6, or 7-character tokens. This simple convenience feature turns out to have an unintended consequence. According to the study, the entire set of URLs can be scanned by brute force because the tokens are so short. As a result, the long URLs end up becoming public and can be discovered by hackers.
The study conducted by Vitaly Shmatikov and Martin Georgiev over 18 months focuses on two particular services in detail — the Microsoft OneDrive cloud storage (formerly known as SkyDrive) and Google Maps. In these applications, when a user wants to share a link to a document, folder, or map with another user, the service automatically offers to generate a short URL. The study shows how this unintentionally makes the original URL public, which can allow anyone to get hold of sensitive information within password protected cloud drives.
The coders say they took a sample scan of roughly 100 million bit.ly URLs with randomly chosen six-character tokens of which 42% revealed their actual URLs. Of these, a shocking 19,524 URLs lead directly to a user's OneDrive/SkyDrive files and folders.
As for Google Maps, its shortened URLs were much simpler to find as prior to September 2015, the company used only a five-character token for the short URLs generated from Maps. The researchers hence discovered over 23 million Google Maps URLs in their samples, about 10% of which were for stored directions from one location to another and the remainder were address locations. These were largely associated with specific Google user accounts, creating a potential privacy hole.
Size of tokens change
Shmatikov and Georgiev say they informed both Google and Microsoft about the loophole that leads to this privacy breach. While Google responded immediately and increased the size of its tokens for Maps short URLs to 11 or 12 characters, Microsoft's Security Response Center did not find it faulty and said it was probably a design error.
However, as of March 2016, the URL shortening option has vanished from the OneDrive interface and the researchers say Microsoft denied that these changes have anything to do with the report they provided. Even then all previously generated short OneDrive URLs still remain vulnerable to scanning and malware injection.
There are tons of other URL shortening services who may have similar loopholes. Shmatikov and Georgiev say one should rely on platforms that use longer tokens in short URLs, in order to prevent exposure.
The duo also made some suggestions for cloud services to make their system more protected. These are as follows: