Researchers show that it’s possible to guess links created by URL shorteners, effectively making private files public, and revealing personal information.
Image: Avramenko Kostiantyn/Shutterstock
Short links have become a staple of the web, turning long, unwieldy URLs into more elegant and shorter strings of characters. This is how you avoid pesky character limits on services like Twitter, or share better-looking and easier-to remember links with your friends.
But short URLs that are too short could expose the content behind the link to anyone, even people you didn't share them with.
It turns out that the simplicity and convenience of short links has an unintended consequence. If the seemingly random strings of characters, or token, after the domain name (the "1f9lqAP" in bit.ly/1f9lqAP, for example) is too short, then someone with enough computing power can guess random strings and potentially stumble upon something you might have wanted to keep private.
An attacker using this method could potentially collect millions of other people's short links, accessing files that users likely considered private, or revealing people's identities and locations, according to a new study.
"If you want the content behind the URL—a document, a map, a folder—to remain private, don't share it using a short URL."
Two researchers devised a method to automatically guess, or scan by brute force, millions of Microsoft OneDrive (1drv.ms) and Google Maps (goo.gl/maps) short links. This way, they found thousands of open OneDrive folders with potentially sensitive information, as well as Google Maps links that could be used to identify the people who created them, as well as their identity.
In other words, short URLs with five, six, or seven-character tokens that users might think as private, are not that private.
"When you are sharing something using a short URL, you are not sharing with just the intended recipient...you are sharing with the entire world." Vitaly Shmatikov, a professor at Cornell Tech, and one of the researchers who worked on the study, told Motherboard in an email.
This is how Shmatikov illustrated the dangers of this technique in a blog post.
"The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom."
The same analysis could have been used to find out who's visiting prisons, mental health or addiction clinics, or even strip clubs, Shmatikov told me, also stressing out that him and Georgiev did not do that to avoid violating people's privacy, but "someone less scrupulous" could have.
That's pretty creepy, but what Shmatikov and his co-author Martin Georgiev found about OneDrive short URLs might even be worse.
By scanning 100,000,000 bit.ly URLs, the researchers said they found 19,524 URLs that led to OneDrive/SkyDrive files and folders. Given that OneDrive URLs have "predictable structure," the researchers were then able to guess live links to 1,105,146 publicly accessible OneDrive documents, "including dozens of thousands of PDF and Word files, spreadsheets, media files, and executable binaries," according to the blog post.
This means anyone sharing a short OneDrive URL with a colleague or friend may have exposed that file or folder "to everyone," according to the study. The researchers said they didn't touch any of the files they found.
"The biggest danger," Shmatikov said, is that 7 percent of the OneDrive folders they found allowed anyone to modify or alter the files. That means somebody with more evil intentions that the researchers could've injected malware in the folders or files, getting a virus on the target's computer thanks to the fact that Microsoft's service syncs files in the cloud with users' local OneDrive folders.
But there's some good news.
The researchers reached out to Google on September 15 of 2015 to alert the company of the issue. Six days later, Google increased Google Maps short URL tokens to 11 or 12 characters, and made automated scanning harder. A Google spokesperson confirmed Google "strengthened URL protections" based on the researcher's findings and the company's "own studies."
The two weren't as lucky with Microsoft. The researchers reached out to the company on May 28, 2015 and after a weeks-long email exchange, the Microsoft's Security Response Center said that the ability to share short URLs "appears by design," and was not a vulnerability, according to the paper.
The researchers were able to guess live links to 1,105,146 publicly accessible OneDrive documents
Last month, however, Microsoft removed the ability to share shortened OneDrive links. A Microsoft spokesperson declined to answer a series of specific questions, but said in a statement that the company removed the feature as part of an effort "to improve the usability, features and security of our products and services."
This way, new OneDrive don't have short URLs and thus can't be found using the researchers' technique, but old URLs are still exposed, according to Shmatikov.
The researchers only focused on OneDrive and Google Maps as case studies, but what their findings applies to any other service that uses short URLs that are too short. For that reasons, the two recommend companies to make short URLs longer, inform users about their potential risks, deploy methods to tell automated scans from human users, and avoid relying on universal URL shorteners.
In the meantime, Shmatikov has a simple solution for users who might be worried about their privacy.
"If you want the content behind the URL—a document, a map, a folder—to remain private," Shmatikov told me, "don't share it using a short URL."