URL Shorteners May Be Exposing Your Private Information
URL shorteners have been around for a while, and can be rather useful. This is especially true when using services like Twitter, which limit the number of characters you can use. But there are hidden dangers to using a shortener that you might not even be aware of.
Imagine that you've got a file in your OneDrive account that you want to share with someone. If you go in and create a link to it, Microsoft will use Bit.ly to craft a much shorter link, which looks a lot nicer than the full one. If you use a OneDrive account, then it's very possible that you've done this before, and not thought twice about it. But it turns out that in the right hands, that simple shortened link can tell a person how to access your other files.
According to a team of researchers, the URL that's generated has a very predictable structure. This structure can be used to find the full URL, and eventually browse through other files on the user's account. What's more, when they were conducting their tests, they were able to find some writable files that they could access. This means that they could easily delete them, or if they want to be more malicious, they could inject malware into the files.
Imagine downloading a file that you'd saved on your OneDrive, and finding out that it ended up causing some serious issues on your computer. You'd never have any idea that someone else was able to modify it while it was sitting in the cloud. That would come as quite a shock when you discovered it.
Microsoft's OneDrive isn't the only service that the researchers found issues with, when it came to shortened URLs. Google Maps links were also vulnerable at the time of the study. They were able to scan the five-character token links, and pull data such as the user's name, age, and the route they were planning to take.
Google responded quickly to the team's findings, and increased their character tokens to 11-12 characters, and implemented measures to prevent bots from scanning their URLs.
As for Microsoft, shortly after being contacted about the vulnerabilities found in their service, they disabled link shortening in OneDrive. The company hasn't stated whether or not the team's findings played any part in that decision, but it would stand to reason that it did.
These are just two services that utilize URL shorteners, and while their vulnerabilities have been patched up (or eliminated, in OneDrive's case) that is still a bit worrying. It should serve as a good warning about the potential dangers of URL shorteners. Just remember that if a service uses one, there is the possibility that vulnerabilities such as the ones outlined above could exist.
VIA: TNW