URL shorteners provide a useful, simple, way of sharing links; but these links can unwittingly expose your most personal information.
Two researchers analysed millions of bit.ly generated short URLs and found that randomly generating the addresses allowed them to access the content behind them.
The team, led by Cornell Tech, generated more than 200 million Google and Microsoft hosted – both use bit.ly's backend – short URLs and were able to access millions of driving routes and hundreds of thousands of private documents. In particular, the links related to Google Maps data and documents stored on Microsoft's OneDrive.
The researchers also said it would be theoretically possible to add malware and malicious documents to OneDrive folders, which would then automatically synced to a user's computer.
Vitaly Shmatikov, who led the study, said the flaw in short URLs had "serious consequences" for the security of cloud services. "In both cases, whenever a user wants to share a link to a document, folder, or map with another user, the service offers to generate a short URL – which, as we show, unintentionally makes the original URL public," Shmatikov wrote in a blog post.
For the study Shmatikov and independent researcher Martin Georgiev generated short URLs with five and six characters after the domain name. For bit.ly they created 100 million potential six-character URLs using 189 machines. That figure represents just 0.176 per cent of the possible short, six character, URLs.
Once the researchers had created the URLs they then scanned them to see which were active.
For OneDrive, 42 per cent of the 100 million domains created were active and 19,524 of them led to accessible files and folders. Once the URL had been accessed, the researchers explained, it was possible to predict file structures and access other files and folders from a user.
Scanning the possible files the researchers said there were Word, Excel, PowerPoint, OneNote, PDF, surveys and other media files that could be downloaded. These were accessible for both six and seven character URLs. In a statement to WIRED.com, Microsoft, which initially didn't react to the researchers work, said it had now started to remove URL shorteners from file sharing options.
When looking at Google Maps the researchers found 23,965,718 live links, with ten per cent being driving directions.
"These include directions to and from many sensitive locations: clinics for specific diseases (including cancer and mental diseases), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, gentlemen's clubs, etc."
By comparing the directions to open housing records they claimed it would be possible to identify the person who made the trip. "For instance, when analysing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility," Shmatikov said.
Google, when told about the exploit in 2015 by the researchers, increased the number of characters after the domain to 11 or 12, limiting the likelihood of someone being able to guess or brute force the links. The researchers said Google had also introduced new ways to limit the scanning of existing URLs.
Shmatikov argued that cloud services using URL shorteners should detect and limit URL scanning, consider using captchas and design APIs that don't exposure every URL in a structure if one is leaked.
This article was originally published by WIRED UK
