Do Shortened URLs Endanger Privacy?

Category: Privacy

URL-shortening services can be convenient, but using them with online mapping or cloud services can create security holes that allow hackers access to a user’s data, or life details you thought were private. Read on to learn about URL shorteners and how you might be exposed...

Are Short URLs Safe?

Using short URLs may expose your files in cloud storage, and even spread malware to computers or mobile devices that are synced to online folders. So say security researchers Martin Georgiev and Vitaly Shmatikov in a paper entitled, Gone in Six Characters: Short URLs Considered Harmful for Cloud Services. You can read Georgiev and Shmatikov's research paper if you like, but I'll summarize it here.

Let's start with a review. Often, websites generate long, unwieldy URLs (web page addresses) which are difficult or impossible to share via email, texting, social media, or instant messaging. Email programs may wrap long lines, truncating URLs or making them unclickable. Text messages are limited to 160 characters, and Twitter's max message length is 140. URL shortening services convert those long URLs (which can be hundreds of characters) into short URLs that are easy to copy, paste and share.

A shortened URL includes a minimal domain (such as 1drv.ms, bit.ly, or goog.gl) followed by a slash and a token - e.g., https://goo.gl/48kaNF. In this case, the six alphanumeric characters, “48kaNF” are the token. When you enter the shortened URL in your browser, the server at goo.gl looks up the token and returns the original, long URL to your browser. Your browser then fetches what’s at that long URL.

Short URL vulnerabilities

Additional information may be embedded in a shortened URL. For instance, when you share a file or folder on Google Drive, you can specify whether the recipient of the shortened URL will have read-only, read/write, or password-protected access to that item.

Suppose you share with someone a shortened URL that leads to a document stored on Google Drive, and give him or her full read-write access. If that person is trustworthy, they'll open the document, read it, and perhaps make updates. But if the short URL that leads to your file falls into the wrong hands, that person can put anything he wants in that file’s location - including malware.

But That's Not All...

That hypothetical malware can also infiltrate any devices (desktops, laptops, tablets or smartphones) that sync to your cloud storage account, and work more mischief on them. Then it can spread to every device that connects to any of your infected devices. The authors of the study see this as potential for "vector for large-scale, automated malware injection."

I don't mean to pick on Google Drive here. Microsoft OneDrive has the same vulnerability in its 1drv.ms shortened URLs. So does bit.ly, an independent URL-shortening service that OneDrive offers as an option (or did, until this research appeared April 10, 2016). In fact, it seems likely that this vulnerability is part of any URL-shortening service; it’s just been overlooked for many years.

A bad guy must know a short URL that points to something in order to exploit its vulnerability. But the researchers found that it’s easy to grind through all possible digit and letter combinations of a six-character token to find all the short URLs that yield long (“live”) URLs. They estimate that a “small” botnet of a few thousand enslaved PCs could do it in a single day.

The researchers tested a sample of 100 million bit.ly short URLs, and found that 42% of them resolved to long URLs, of which "19,524 URLs led to OneDrive/SkyDrive files and folders, most of them live." From there, each live URL can be tested to see what access it provides and how it can be exploited; another easy job for a small botnet.

Ultimately, 7% of the OneDrive/SkyDrive short URLs granted read/write access, meaning they could be used to spread malware throughout their owners’ cloud storage space and across any devices that synced to it. That’s a high yield of “exploitables” for hackers and malware distributors!

You might be sharing files or photos in the cloud without even knowing it. Both iPhone and Android smartphones can sync your photos to the cloud. Remember the celebs who took racy photos with their iPhones and later had them exposed because their iCloud accounts were hacked?

What About Online Maps?

Google Maps’ short URLs also posed privacy risks. Google was using tokens of only 5 characters in its Maps shortened URLs, which makes the brute-forcing of all “live” short URLs much easier. Since the researchers shared their findings, Google Maps has gone to 11 or 12 character tokens.

You might not care if some random stranger knows that you used Google Maps to travel from your house to a Chinese restaurant in Hackensack. But a hacker, phisher or con man can use information about your home address and the places to which you travel to compromise your privacy.

What can be learned from Google Maps URLs? Plenty: one’s residence, favorite destinations, patterns of movement, the routes taken, and more. Starting with a possibly sensitive location (such as an abortion clinic, drug or cancer treatment center, hospital, church, jail, pawnbroker, payday loan store, etc.) it’s possible to trace everyone who visits it.

What's Being Done - And What You Can Do

Microsoft downplayed the significance of these findings, saying the vulnerability "does not currently warrant an MRSC case," but has quietly disabled URL-shortening on OneDrive none the less. Google has taken steps to make Maps short URLs harder to hack, but the vulnerability remains. Bad guys will just need a bigger botnet, or more time.

If you think short URLs are temporary, you are mistaken. They are deleted after a period of time, and they are reused only if a URL-shortening service runs out of tokens; note that in the bit.ly sample of 100 million short URLs, only 42 million are in use. That short URL you shared last year still works, and you don’t really know who else has it besides the person with whom you shared it. Maybe these two researchers found it among the “live” URLs in their small sample. Maybe hackers have figured it out.

It’s up to you whether you do anything about this potential vulnerability. Some countermeasures you might take include:

Don’t shorten URLs. Copy that gigantic URL from Google Maps and embed it in an HTML message, e. g., “Meet me at the Empire State Building; directions from Rockefeller Center are here.” Learn how to use the “link” function of whatever messaging tool you’re using.

Restrict access. Both Google Drive and OneDrive have the option to share a file or folder with a specific user or group of users. Instead of making your files available to (and modifiable by) the entire world, restrict access to just those people who should have it.

Password-protect short URLs. If it's not possible or convenient to restrict access by user, use a password. When you set a password as a condition of accessing a file via a short URL, make sure the password is stored on the cloud service’s server, not in the short URL. You’ll have to communicate the password to the intended recipient somehow. Obviously, you should create a non-obvious, long password.

Move, remove or rename. As for all the short URLs you’ve generated in the past, you could delete the files to which they point. But that's not necessary. A much simpler solution is to move the files or folders to which they point. You can move files to another folder, rename the folder, or rename the files. Then the short URL will resolve to “not found.” You can’t move the Google Maps pages you’ve generated, obviously, but if it’s worth the trouble you can move everything on your cloud storage space.

Do you use cloud storage or online maps? Have you shared a file or online map with others using a shortened URL? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 25 Apr 2016


For Fun: Buy Bob a Snickers.

Prev Article:
[ALERT] Adobe Flash - The Last Straw?

The Top Twenty
Next Article:
[SIGH] The Phish That Wasn’t

Most recent comments on "Do Shortened URLs Endanger Privacy?"

Posted by:

clyde
25 Apr 2016

No problem do not use a cloud if it is not your own


Posted by:

Doc
25 Apr 2016

Sigh and I LOVED that wee-bitty program TINYurl -- back in the days when we still had operational 8088's in the lab, it was SUCH a time saver!!!! AND polite too!

Like my mom always taught me: Polite is what makes OTHER people comfortable. I guess the preview in Yahoo! Does do a better job of making people comfortable - But I sometimes miss my little buddy. And even MS Word will accept a URL as a clickable address.

AND - just BTW AND off this topic -- Flash player is needed for _BBC World Service_. Sigh. Them Brits so SO many amazing things at light, quantum, and nano levels, yet still hang on to Flash. Go figure. Whod'a thunk.

Thanks again Bob for killing one of my good long time friends (though in all honesty I've rarely used it how that Yahoo! hides those 300 and 400 character URL's addresses.


Posted by:

Darcetha M
25 Apr 2016

"No problem do not use a cloud if it is not your own". Posted by Clyde on April 25, 2016.

I agree with Clyde.


Posted by:

AndyC
26 Apr 2016

Excellent article, as always. I also am not a "cloud" user - except for temporarily transferring files between friends. I can't believe the public blasts the NSA so vigorously, and after they finish their vitriol, they happily hit the "sync" button (on whatever device), and send God knows what onto some commercial entity's server. And have you notice how much EVERYONE is pushing you to use the safe and fluffy cloud. Does anyone really believe that this data will NEVER be analyzed? Anyhow, sorry for the rant. I've been a long-time reader......like going back to the "newsgroup" era.......long before there was such a thing as "blogs"....and your advice is always spot-on.


Posted by:

Don
26 Apr 2016

I use Dropbox to share picture files with friends. When I go to get the link it says, "Anyone with the link can see it." Is there any danger if there is nothing sensitive and they can only "see" it?

EDITOR'S NOTE: In the case of OneDrive, a short URL could lead to discovery of other files in the user's folder. I don't know if that same issue applies to Dropbox.


Posted by:

Jeff L.
26 Apr 2016

Wait, what vulnerability are you talking about? If the URL is not for an editable document but just a shortcut to, say a CNN.com story or some other permanent link, what's the risk?

Is there really any problem with shortcuts per se?

EDITOR'S NOTE: No, there is no security issue with shortcuts per se. What you need to remember is that they do not provide any privacy. And especially with the shortest of the short URLs, they can be programmatically discovered without much trouble. But in your example, there's nothing to worry about.


Posted by:

Matt
26 Apr 2016

My favorite URL shortening service is Shady URL (http://shadyurl.com/) It's just fun! And no, I don't use it for any files. Any files I have short links for are from Dropbox, of which it's easy to break the shared link. I also try to use the linking feature whenever possible and just use the long URL. It's easy with Ctrl+K in Outlook or Gmail! :)


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Do Shortened URLs Endanger Privacy? (Posted: 25 Apr 2016)
Source: https://askbobrankin.com/do_shortened_urls_endanger_privacy.html
Copyright © 2005 - Bob Rankin - All Rights Reserved