URL Shorteners Are Attractive, Convenient, and a Security Risk


4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

Those services that automatically shorten unwieldy and lengthy web addresses are great. They allow you to send something that is a few characters long rather than some mess that spans three full lines. Unfortunately, at least some of them can be compromised to reveal personal information. Worse still, they could create an easy pathway to get malware onto your computer.

[Microsoft] used Bit.ly to generate shortened URLs for files or folders that people have made shareable on its OneDrive storage site. So the Cornell researchers randomly generated more than 71 million possible OneDrive short URLs, of which more than 24,000 turned out to be live, working links to files and folders. […] The researchers say they could often tweak that web address to access other files or folders uploaded by the same OneDrive user. And about 7 percent of the files or folders were editable by anyone who visited.

That means, the researchers point out, that they could not only mess around with peoples’ data, but even add malware to their cloud storage, which—thanks to a synchronization feature—is often copied automatically to the victim’s PC.

Of course, this method of compromising the URLs takes brute force random generation to accomplish, but that’s basically what computers are built to be really great at. Lest you assume that this was a Microsoft only problem, the researchers did the same with Google Maps, which also uses Bit.ly to share shortened links to directions. Brute forcing a whole bunch (23 million, to be exact) of Google Maps URLs resulted in about 10 percent of links being real directions someone had looked up.

To fully illustrate the creepy potential of that publicly accessible mapping data, the researchers went so far as to identify one “young woman” who had shared directions to a Planned Parenthood facility. Starting with the Google Maps data from shortened URLs that pointed to her home, they were able to confirm her address, full name and age—thankfully none of which they shared in the paper.

Google has since lengthened its shortened URLs, which helps increase security, and Microsoft removed the short URL option from OneDrive, but the researchers warn that the privacy concern remains with any shortened URL scheme and, worse still, a bunch of the data they found remains live. Sometimes convenience isn’t necessarily worth it.

Featured image: “Closeup of Address Bar of Web Browser” from Shutterstock.


Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • I don’t understand why anything would think it would be a good idea to give a private link to a third-party to shorten.