- On Apr 19, 2016
- Kareem Zok
Security researchers find six-character short URLs expose your personal data to anyone who looks.
Security researchers have discovered that short URLs are able to be brute-forced, potentially exposing personal data to anyone motivated to look. The issue was found by Martin Georgiev and Vitaly Shmatikov after looking at the abbreviated web addresses used by companies like Google, Microsoftand bit.ly. The standard Google Maps URL, for instance, takes up around 150 characters, but for ease of use, the product offered a six-character alternative. But a combination of six-characters is small enough that it’s possible to break simply with trial and error, exposing your cloud storage files and mapping requests to the world.
Georgiev and Shmatikov were able to find Google Drive and Microsoft OneDrive files that were shared with short URLs. But some of those files were tied to folders that had write-access, enabling anyone in the world to drop malicious code into your cloud storage. Naturally, since anything stored online is automatically copied to your desktop, the duo claim that there is a very real risk of “large-scale malware injection.” The pair claim that 7 percent of the OneDrive and Google Drive accounts they scanned were vulnerable in this way.
The researchers were also able to use the flaw to up their stalking game quite significantly. For instance, short Google Maps URLs often contained directions between two private addresses. It would be quite easy to infer relationships from that data that were otherwise intended to be private. Even worse is that some people’s map links revealed highly personal information such as the medical facilities and places of worship that they visited. In addition, the pair were able to find and name people who visited juvenile detention facilities, pawn brokers and other such information that is ordinarily kept secret.
One of the reasons that people don’t really think about short links is that they’ve been told to believe in “security from obscurity.” It’s the idea that if people don’t know about a file that’s on the internet, they won’t be able to find it, but the pair have blown that out of the water. Early on in the paper, the duo say that people believe that the URLs are “safe because they are ‘random looking’ and not shared publicly.” But, in fact, this simply isn’t true anymore, and “each resource shared via short URL is thus effectively public, and can be accessed by anyone anywhere in the world.” As far as the pair are concerned, “automatically generated short URLs are a terrible idea for cloud services.”
At the end of the paper, the researchers reveal the differing ways in which Google and Microsoft handled the news of the hack. Google doubled the character length and subsequently told Wired that it “appreciate contributions to the safety of Google Maps and Google products.” Microsoft, meanwhile, is quoted by the researchers as saying that the vulnerability “does not currently warrant an MRSC case,” although did quietly remove the shorten link function within OneDrive — although that’s no comfort to existing users who still remain exposed.