URL shorteners are great tools, they allow anyone remember long links or simply shorten them for other reasons. They are very helpful for lots of people and they simplify life by a bit. Sadly they can simplify the life of some hackers too. Using short URL’s hackers can simply guess thousands of URL’s until they hit one that might be yours.
URL shorteners are used by big companies like Microsoft or Google. Microsoft uses link shorteners for things like OneDrive and shared links. Google uses it for Maps searches. Some of this information is very private, but sadly both companies use Bit.ly’s URL shortening system to generate links with only six ‘random’ characters. So little that it is very easy for anyone with a bit knowledge of coding and some interest to make a program that guesses them.
In a perfect world, when you would find a link like this, you shouldn’t be able to do anything. You would have the link, but it would be protected. Sadly, Google and Microsoft decided to treat some of these links as private since they are randomly generated. For example sharing a One Drive document and giving the link it spit out to trusted people could make it public since others could find the short link by randomly guessing it! Because of this vulnerability, some researchers at Cornell Tech decided to show Google and Microsoft how bad of a problem this could be.
After more than one and a half years of work, the researchers published a paper showing what could be done with the URL’s. They would randomly generate URL’s until they found working ones, then because some of the URL’s were not protected, they say that they could have done a lot of harmful things to the users. Since most people using One Drive use a syncing feature to have everything backed up onto their computer, the researchers could have uploaded files like viruses onto the users’ accounts and have them all straight on their computer. Google maps also uses shortened URL’s. After generating 23 Million URL’s for Google maps (Out of which 10% which worked), the researchers were able to find out who requested directions to specific places, since they were able to see both the starting and ending point, either could have been somebody’s home.
After all their work, the researchers had to warn both Google and Microsoft about this threat. When they told Google, last year in September, Google responded seriously by lengthening their shortened URL’s to 11 or 12 characters and creating a new way of identifying and blocking automated scanning of shortened URL’s. On the other hand, when showing their results to Microsoft, last year in May, Microsoft absolutely ignored the researchers, until last month when they finally removed URL shortening from One Drive completely.
The worrying part is that the researchers from Cornell say that they are still able to use all of the vulnerable links from before. Even if the URL’s stay vulnerable the problem is reduced, but people and companies around the world still need to learn the negative effects a short URL can have, to stop the possibility of attacks on private information.