URL shorteners expose your private data

Cornell Tech researchers have published a paper warning that URL shorteners cause potential privacy problems in cloud services.

Titled Gone in Six Characters: Short URLs Considered Harmful for Cloud Services, the paper said that for many services it was easy to search through all possible combinations of URL mappings.

Until September 2015, Google used five characters in its URL shortener.

The researchers were able to search through all of the short links generated by Google Maps, discovering people’s private addresses and other sensitive information, Boing Boing reported.

Google has since increased the token size of its Maps URLs to 11 or 12 characters.

Microsoft’s One Drive was similarly easy to search, and in 7% of cases One Drive accounts exposed in this way let anyone write into them.

This could let an attacker copy files onto your system.

Ars Technica reported that the researchers also looked through 100 million addresses on bit.ly’s domain space, using 189 machines to access the bit.ly service’s search API.

Of the six-character tokens they searched, 42 million resolved to URLs. Of these, 19,524 lead to OneDrive files and folders, most of them live, the researchers said.

Searching through seven-character tokens resulted in a 29% hit rate, with 47,081 OneDrive and SkyDrive URLs – of which 35,541 were live.

According to the researchers, Microsoft has stopped offering bit.ly URL shortening directly in OneDrive, but the company did not acknowledge short URLs as a security hole.

More security news

Beware of new WhatsApp Vodacom Call Sponsor scam

Apply online for a Gauteng school spot at your own risk

How safe your smartphone lock screen is

How WhatsApp keeps your messages secret

Don't miss the latest news

• Add MyBroadband as a preferred source in Google Search
• Follow MyBroadband on Google News