URL shorteners are nothing new and can be useful for generating abbreviated versions of long links which consist of much fewer characters. Typically, shortened URLs are meant for ease of sharing, such as a means of sharing a cloud folder with a select number of collaborators. For example, a standard Google Maps URL can take up to 150 characters, while a shortened URL may offer a six-character alternative. If you have a file in your OneDrive account that you want to share with someone, you would access it in your account and create a link to it. Microsoft will then use Bit.ly to craft a much shorter link, which looks a lot nicer than the full one.
Source: Crazy Engineers
The short URLs have various benefits besides looking better in conversations, as it can also help when using services such as Twitter or traditional SMS which limit the number of characters you use. Additionally, short URLs allow services to track the number of clicks for a specific link, which make them very useful to gauge audience reach and engagement.
However, within these shortened URLs contains a hidden danger you may not even be aware of. As it turns out, generating shortened URLs may also expose a person to security risks. In the right hands, a shortened URL is highly susceptible to brute-force search, given the nature of the links containing only a handful of characters.
Based on a new study by Vitaly Shmatikov, a professor of Cornell Tech, in collaboration with visiting researcher Martin Georgiev, the duo investigated how the URL shortening methods used by Microsoft in its OneDrive cloud storage app and Google in its Maps service could be allowing hackers to gain access to your personal data. The 18-months-long research findings were released just a week ago through a research paper titled Gone in Six Characters: Short URLs Considered Harmful for Cloud Services.
The study began when the scientists realised that Microsoft OneDrive and Google Maps used Bit.ly’s URL shortening service to generate web addresses with only six seemingly random characters. Six characters are few enough that a hacker could easily use software to automatically generate, visit and analyze all of the millions of possible shortened URLs, or at least a significant fraction of them.
In the study, the pair demonstrated the unexpected privacy-invasive potential of “brute-forcing” shortened URLs were possible by generating more than 200 million Google and Microsoft shortened URLs: By simply guessing at shortened URLs until they found working ones. With the short URLs and the predictable structure generated by Bit.ly, Shmatikov and Georgiev found it easy to access millions of driving routes and hundreds of thousands of private documents containing sensitive information.
If the seemingly random strings of characters, or token, after the domain name (the “1f9lqAP” in bit.ly/1f9lqAP, for example) is too short, then someone with enough computing power can guess random strings and potentially stumble upon something someone might have wanted to keep private, or only chose to share with personal friends and family. A small number of brute-force attempts at accessing the short links which typically contain about five or six characters are likelier to yield an actionable link, as compared to standard links which are more difficult to find lots of working combinations.
Shmatikov illustrates the dangers of this technique in a blog post:
“The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom.”
While investigating Microsoft’s case, the researchers carried out a series of automated scans with Microsoft’s 1drv.com which generated short Bit.ly URLs for files or folders people made shareable on its OneDrive storage site. Due to the predictable and short structure of the small six-character URLs, out of the 100 million 1drv.com URLs the researchers scanned, they found that 42% of them were valid, working links and of which 19,524 directed back to files and OneDrive folders.
For these URLs, the researchers found that not only were they able to extract the user’s ID and account authentication key from the link itself, but they were also able to intensify their attack by accessing additional files through the same account. From this link, the researchers were able to expose an additional 227,276 publicly accessible OneDrive documents.
To make matters worse, 7% of all the uncovered OneDrive folders were discovered to be vulnerable to attacks due to their write-access feature. This means that hackers could easily delete off the files or allowed any hacker to inject malware into the files. Due to the automatic syncing features of cloud services, a hacker could easily modify a file with malware codes while it is sitting in the cloud, and cause havoc to a user’s computer when whatever that was stored online is automatically copied to the desktop. The victim would be left wondering how the malware appeared.
Shmatikov and Georgiev made it clear that to avoid ethical and legal ambiguity, they claimed they had never downloaded any of the files during the investigations.
Similarly, the researchers conducted the tests using shortened Google Maps goo.gl URLs and unearthed various personal information about the users who generated them. Prior to September 2015, Google Maps had only employed five-character-long shortened URLS, which made it so much simpler to scan. Out of the 23,965,718 live maps they generated from the tests, 10% contained driving instructions with actual directions a user had requested, which more often than not consisted of sensitive locations that most people would probably like to keep private.
Looking at some of the driving directions, sensitive details could be used to infer sensitive informations about each subject, such as their daily habits and hints to their true identities. Because many of the directions included a person’s residential address as one end of the route, the tests could reveal various personal information about the users by examining their numerous destinations. These included GPS coordinates found for “clinics for specific diseases (including cancer and mental illnesses), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, and gentlemen’s clubs”, most of which users would ordinarily prefer to keep secret.
In fact, they found that the same problem persisted with shortened URLs on other Map providers like Mapquest, Bing Maps, and Yahoo! Maps, although in a smaller scale as compared to Google Maps.
Between the two companies investigated, Google reacted much quicker to the research findings of Shmatikov and Georgiev. When the researchers notified Google about their work earlier in September 2015, Google responded within a week by boosting the size of its five random characters URL to URLs with longer 11 or 12 characters, which are less easy to guess. Furthermore, Google’s engineers took measures to identify and block automated scans of shortened URLs so that this information would not be so easily obtainable by a hacker. In a statement to Wired, a Google spokesperson writes that the company “appreciates the Cornell Tech researchers contributions to the safety of Google Maps and other Google products. The Cornell researchers notified us last year about this issue and we’ve since strengthened URL protections based on their findings and our own studies.”
Conversely, when Shmatikov and Georgiev contacted Microsoft on 28th May 2015 regarding their URL vulnerability, they claimed the Microsoft’s Security Response Center failed to acknowledge the issue as a ‘security’ problem, instead owing the problem to a design error. While Microsoft did not take as kindly to the researchers pointing out the flaw in its service as Google did, nevertheless nine months after the researchers contacted the company, Microsoft had disabled the OneDrive URL shortening feature just last month, albeit they maintained that the removal of the ability to share shortened OneDrive links was nothing related to the disclosure. A Microsoft spokesperson said in a statement; “We’re continually looking for ways to improve the usability, features and security of our products and services for customers… As part of these efforts, earlier this year we began removing shortened URLs from file sharing options to simplify for users and prepare for future developments.”
The researchers emphasize that all previously generated short OneDrive URLs still remain vulnerable to scanning and malware injection, and that much of the exposed data they found remains live and vulnerable even with the fix. The full findings of the paper goes into much more details which can be found here.
 Ars Technica
 International Business Times