Do Shortened URLs Endanger Privacy?

Are Short URLs Safe?

Using short URLs may expose your files in cloud storage, and even spread malware to computers or mobile devices that are synced to online folders. So say security researchers Martin Georgiev and Vitaly Shmatikov in a paper entitled, Gone in Six Characters: Short URLs Considered Harmful for Cloud Services. You can read Georgiev and Shmatikov's research paper if you like, but I'll summarize it here.

Let's start with a review. Often, websites generate long, unwieldy URLs (web page addresses) which are difficult or impossible to share via email, texting, social media, or instant messaging. Email programs may wrap long lines, truncating URLs or making them unclickable. Text messages are limited to 160 characters, and Twitter's max message length is 140. URL shortening services convert those long URLs (which can be hundreds of characters) into short URLs that are easy to copy, paste and share.

A shortened URL includes a minimal domain (such as 1drv.ms, bit.ly, or goog.gl) followed by a slash and a token - e.g., https://goo.gl/48kaNF. In this case, the six alphanumeric characters, “48kaNF” are the token. When you enter the shortened URL in your browser, the server at goo.gl looks up the token and returns the original, long URL to your browser. Your browser then fetches what’s at that long URL.

Additional information may be embedded in a shortened URL. For instance, when you share a file or folder on Google Drive, you can specify whether the recipient of the shortened URL will have read-only, read/write, or password-protected access to that item.

Suppose you share with someone a shortened URL that leads to a document stored on Google Drive, and give him or her full read-write access. If that person is trustworthy, they'll open the document, read it, and perhaps make updates. But if the short URL that leads to your file falls into the wrong hands, that person can put anything he wants in that file’s location - including malware.

But That's Not All...

That hypothetical malware can also infiltrate any devices (desktops, laptops, tablets or smartphones) that sync to your cloud storage account, and work more mischief on them. Then it can spread to every device that connects to any of your infected devices. The authors of the study see this as potential for "vector for large-scale, automated malware injection."

I don't mean to pick on Google Drive here. Microsoft OneDrive has the same vulnerability in its 1drv.ms shortened URLs. So does bit.ly, an independent URL-shortening service that OneDrive offers as an option (or did, until this research appeared April 10, 2016). In fact, it seems likely that this vulnerability is part of any URL-shortening service; it’s just been overlooked for many years.

A bad guy must know a short URL that points to something in order to exploit its vulnerability. But the researchers found that it’s easy to grind through all possible digit and letter combinations of a six-character token to find all the short URLs that yield long (“live”) URLs. They estimate that a “small” botnet of a few thousand enslaved PCs could do it in a single day.

How to Create a Menu in Wordpress

Share

Watch on

The researchers tested a sample of 100 million bit.ly short URLs, and found that 42% of them resolved to long URLs, of which "19,524 URLs led to OneDrive/SkyDrive files and folders, most of them live." From there, each live URL can be tested to see what access it provides and how it can be exploited; another easy job for a small botnet.

Ultimately, 7% of the OneDrive/SkyDrive short URLs granted read/write access, meaning they could be used to spread malware throughout their owners’ cloud storage space and across any devices that synced to it. That’s a high yield of “exploitables” for hackers and malware distributors!

You might be sharing files or photos in the cloud without even knowing it. Both iPhone and Android smartphones can sync your photos to the cloud. Remember the celebs who took racy photos with their iPhones and later had them exposed because their iCloud accounts were hacked?

What About Online Maps?

Google Maps’ short URLs also posed privacy risks. Google was using tokens of only 5 characters in its Maps shortened URLs, which makes the brute-forcing of all “live” short URLs much easier. Since the researchers shared their findings, Google Maps has gone to 11 or 12 character tokens.

You might not care if some random stranger knows that you used Google Maps to travel from your house to a Chinese restaurant in Hackensack. But a hacker, phisher or con man can use information about your home address and the places to which you travel to compromise your privacy.

What can be learned from Google Maps URLs? Plenty: one’s residence, favorite destinations, patterns of movement, the routes taken, and more. Starting with a possibly sensitive location (such as an abortion clinic, drug or cancer treatment center, hospital, church, jail, pawnbroker, payday loan store, etc.) it’s possible to trace everyone who visits it.

What's Being Done - And What You Can Do

Microsoft downplayed the significance of these findings, saying the vulnerability "does not currently warrant an MRSC case," but has quietly disabled URL-shortening on OneDrive none the less. Google has taken steps to make Maps short URLs harder to hack, but the vulnerability remains. Bad guys will just need a bigger botnet, or more time.

If you think short URLs are temporary, you are mistaken. They are deleted after a period of time, and they are reused only if a URL-shortening service runs out of tokens; note that in the bit.ly sample of 100 million short URLs, only 42 million are in use. That short URL you shared last year still works, and you don’t really know who else has it besides the person with whom you shared it. Maybe these two researchers found it among the “live” URLs in their small sample. Maybe hackers have figured it out.

It’s up to you whether you do anything about this potential vulnerability. Some countermeasures you might take include:

Don’t shorten URLs. Copy that gigantic URL from Google Maps and embed it in an HTML message, e. g., “Meet me at the Empire State Building; directions from Rockefeller Center are here.” Learn how to use the “link” function of whatever messaging tool you’re using.

Restrict access. Both Google Drive and OneDrive have the option to share a file or folder with a specific user or group of users. Instead of making your files available to (and modifiable by) the entire world, restrict access to just those people who should have it.

Password-protect short URLs. If it's not possible or convenient to restrict access by user, use a password. When you set a password as a condition of accessing a file via a short URL, make sure the password is stored on the cloud service’s server, not in the short URL. You’ll have to communicate the password to the intended recipient somehow. Obviously, you should create a non-obvious, long password.

Move, remove or rename. As for all the short URLs you’ve generated in the past, you could delete the files to which they point. But that's not necessary. A much simpler solution is to move the files or folders to which they point. You can move files to another folder, rename the folder, or rename the files. Then the short URL will resolve to “not found.” You can’t move the Google Maps pages you’ve generated, obviously, but if it’s worth the trouble you can move everything on your cloud storage space.

Do you use cloud storage or online maps? Have you shared a file or online map with others using a shortened URL? Your thoughts on this topic are welcome. Post your comment or question below...