A new research paper has identified flaws in automatic URL shortening, such as bit.ly, which expose the private data of cloud services users.
In the study, titled Gone in Six Characters: Short URLs Considered Harmful for Cloud Services [PDF], the team, led by Martin Georgiev and Vitaly Shmatikov, outlined that for many services it was very easy to identify the full URL through trial and error, and uncover private information from cloud storage files and mapping requests.
The security researchers searched through all of the shortened links generated by Google Maps, and were able to reveal users’ private addresses and other highly-sensitive geolocation information, such as medical facilities, detention centres and places of worship.
Until last year, Google had used five characters in short URLs, and has since increased this to 11 to 12 characters for its Google Maps service.
Shortened Microsoft OneDrive URLs were also found to expose sensitive data, with the scientists able to breach 7% of accounts and edit their contents. This vulnerability could let any attacker copy files over to their targets’ system, which the duo claims could present a very real risk of ‘large-scale malware injection.’
Using 189 machines, the team was further able to access the bit.ly search API, and browsed through 100 million addresses in its domain space. Of the six character codes, 42 million URLs were resolved. In this sample, 19,524 led straight to OneDrive files and folders – the majority of them live.
Looking at seven character tokens, the researchers were able to resolve 29% of URLs which included 47,081 OneDrive and SkyDrive links – 35,541 of which were live.
According to the team, Microsoft has since stopped offering bit.ly as a URL shortening tool in OneDrive.
The researchers concluded the paper advising that ‘automatically generated short URLs are a terrible idea for cloud services,’ but accepted the enormous challenge of mitigating the damage of short URLs which have been an ‘integral part of many cloud services and previously shared information remains publicly accessible – unless URL shorteners take the drastic step of revoking all previously issued short URLs.’