Tech News

Microsoft Onedrive and Google Maps block URL shorteners

Microsoft Onedrive and Google Maps block URL shorteners

microsoft onedrive and google maps block url shorteners 2016 images

Easy Way Out, Easy Way In

When sharing articles or links of articles via Twitter, there isn’t much left to say about it after pasting a long URL. Some URLs might not even fit in Twitter’s 144 character-limit, which personally, I wouldn’t want to change. That’s one of the things that make Twitter unique. But how to share overly-long links over Twitter and similarly-limited apps? URL Shortening services of course. They shorten very long URLs to just a few characters enabling people to describe the URL they just pasted or shared so that recipients don’t mistake the content as gibberish when seen on aging apps which don’t translate the URL into content headers. People also use URL shorteners to mask links to their networks or dubious origins of their links or simply for convenience when receiving clients don’t translate URLs to clickable links. These shortened URLs can then be easily re-typed or copy-pasted by recipients to their browsers.

Personally, I don’t trust shortened URLs unless they’re from a reliable source and neither should you. I don’t trust them because I don’t know where they point to. For all I know, they could instantly connect me to some site that will download malware straight to my computer. For example, you can’t tell if http://bit.ly/ytshd will point you to http://foobar.com/stuff or http://installmalware.rus/erase_your_os.

But they’re also use http://installmalware.rus/ erase_your_osul for personal or company security purposes. If you don’t want snoops knowing your company’s domain just by reading your URL http://mycompanyisrich.com/financialreports/login.srf you could send it to your colleagues as http://bit.ly/shrtlnk. It’s a small consolation since those snoops could just click the link anyway. It now turns out that URL shorteners have become unintended security leaks. If you’ve used URL shorteners to mask your actual URL and make it convenient to use to your recipient, for example, to share files from OneDrive or DropBox or to share GPS coordinates in Google Maps, then you’re in trouble.

As it is in passwords, the shorter your password, the easier it is to guess. The easier it is for some intruder to brute-force his way into whatever system you’re using it for. According to an Ars Technica report, the URLs given by URL shortening services are too short and easy to guess. There can only be so many combinations of such a short URL. Now, imagine if we switched a few letters and numbers around. We could probably fish for a live link intended for someone else. According to Ars Technica, a couple of researchers named Vitaly Shmatikov from Cornell University and Martin Georgiev did just that, but focused on URL shorteners from Microsoft‘s OneDrive and Google Maps.

“We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)… but we sampled enough to discover interesting information and draw important conclusions… OneDrive URLs have a predictable structure. From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability… The traversal-augmented scan yielded URLs to 227,276 publicly accessible OneDrive documents, including dozens of thousands of PDF and Word files, spreadsheets, media files, and executable binaries. A similar scan of 100,000,000 random seven-character bit.ly tokens yielded URLs to 1,105,146 publicly accessible OneDrive documents. We did not download their contents, but just from the metadata it is obvious that many of them contain private or sensitive information,”

–blog post, Vitaly Shmatikov, Cornell University

Now that’s a real bummer especially for ordinary users at home or businesses who are not aware of the implications. Many think that they can just provide the shortened URL link to their recipients and go on with their lives, forgetting to kill these links the as soon as their recipients get the package. Some of these open shares have write access so malicious attackers can dump anything into those folders including malware or even use them at their leisure for other purposes.

In the case of Google Maps, attackers can find out a person’s identity and even track their future activities through endpoints and driving directions. Does “I know where you live, and I know where you go” sound creepy to you?

“The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a Planned Parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom,”

–Vitaly Shmatikov

As a result, both Microsoft and Google disabled these services until they find a better way. Like maybe increasing the number of characters in the shortened links. If you still URL shortening services essential, just be sure to kill the links as soon as possible.

Tech News
@movietvtechgeek

Our technology expert who knows a thing or two about the future, superheroes and Supernatural.

More in Tech News

The Ultimate Spy Gadget Samsung Galaxy S3 2017 images

The Ultimate Spy Gadget: Samsung Galaxy S3

Marius MaronillaFebruary 20, 2017
yahoo warns on more hack attacks 2017 images

Yahoo warns users on more hack attacks

Jeffrey LangFebruary 16, 2017
From Russia with Love, Take Edward Snowden 2017 images

From Russia with Love, Take Edward Snowden

Marius MaronillaFebruary 16, 2017
Nokia 3310 Memories and the Phone’s Rumored Return 2017 images

Nokia 3310 Memories and the Phone’s Rumored Return

Marius MaronillaFebruary 16, 2017
india online gaming big business 2017

India seeing the rise of online gaming leagues as big business

Jeffrey LangFebruary 16, 2017
samsung chromebook could change everything for google 2017 images

Samsung Chromebook could change everything for Google

Jeffrey LangFebruary 14, 2017
The Era of Thin May be Over Technological Anorexia Part 2 2017 images

The Era of Thin May be Over: Technological Anorexia Part 2

Marius MaronillaFebruary 10, 2017
now we have to worry about our printers spying on us 2017 images

Now we have to worry about our printers spying on us

Marius MaronillaFebruary 7, 2017
google helping microsoft get more windows 10 upgrades 2017 images

Google helping Microsoft get more Windows 10 upgrades

Marius MaronillaFebruary 7, 2017

Subscribe to our Daily Newsletter

You will only receive one per day. You'll also get a free THE WALKING DEAD graphic novel with your subscription