Report: URL shorteners may have privacy, security exploits


Researchers at Cornell issued a paper on security concerns with URL shorteners. The examples highlighted include Microsoft's OneDrive cloud service and Google Maps.

Essentially services like Bit.ly generate short random IDs for shortened URLs. When someone clicks on that URL, the address resolves to the full address. By scanning ranges of those random IDs, someone could find active links that otherwise may not be intended to be known.

Andy Greenberg for Wired:

by loading the resulting pages and looking at the full URL, the researchers say they could often tweak that web address to access other files or folders uploaded by the same OneDrive user. And about 7 percent of the files or folders were editable by anyone who visited.

That means, the researchers point out, that they could not only mess around with peoples' data, but even add malware to their cloud storage, which--thanks to a synchronization feature--is often copied automatically to the victim's PC.

Google Maps, for example, the same method could be used to identify locations and driving routes intended to be shared privately. The report states that the issue is similar with other mapping services using URL shorteners.