Tech News

Microsoft Onedrive and Google Maps block URL shorteners

Microsoft Onedrive and Google Maps block URL shorteners

microsoft onedrive and google maps block url shorteners 2016 images

Easy Way Out, Easy Way In

When sharing articles or links of articles via Twitter, there isn’t much left to say about it after pasting a long URL. Some URLs might not even fit in Twitter’s 144 character-limit, which personally, I wouldn’t want to change. That’s one of the things that make Twitter unique. But how to share overly-long links over Twitter and similarly-limited apps? URL Shortening services of course. They shorten very long URLs to just a few characters enabling people to describe the URL they just pasted or shared so that recipients don’t mistake the content as gibberish when seen on aging apps which don’t translate the URL into content headers. People also use URL shorteners to mask links to their networks or dubious origins of their links or simply for convenience when receiving clients don’t translate URLs to clickable links. These shortened URLs can then be easily re-typed or copy-pasted by recipients to their browsers.

Personally, I don’t trust shortened URLs unless they’re from a reliable source and neither should you. I don’t trust them because I don’t know where they point to. For all I know, they could instantly connect me to some site that will download malware straight to my computer. For example, you can’t tell if http://bit.ly/ytshd will point you to http://foobar.com/stuff or http://installmalware.rus/erase_your_os.

But they’re also use http://installmalware.rus/ erase_your_osul for personal or company security purposes. If you don’t want snoops knowing your company’s domain just by reading your URL http://mycompanyisrich.com/financialreports/login.srf you could send it to your colleagues as http://bit.ly/shrtlnk. It’s a small consolation since those snoops could just click the link anyway. It now turns out that URL shorteners have become unintended security leaks. If you’ve used URL shorteners to mask your actual URL and make it convenient to use to your recipient, for example, to share files from OneDrive or DropBox or to share GPS coordinates in Google Maps, then you’re in trouble.

As it is in passwords, the shorter your password, the easier it is to guess. The easier it is for some intruder to brute-force his way into whatever system you’re using it for. According to an Ars Technica report, the URLs given by URL shortening services are too short and easy to guess. There can only be so many combinations of such a short URL. Now, imagine if we switched a few letters and numbers around. We could probably fish for a live link intended for someone else. According to Ars Technica, a couple of researchers named Vitaly Shmatikov from Cornell University and Martin Georgiev did just that, but focused on URL shorteners from Microsoft‘s OneDrive and Google Maps.

“We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)… but we sampled enough to discover interesting information and draw important conclusions… OneDrive URLs have a predictable structure. From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability… The traversal-augmented scan yielded URLs to 227,276 publicly accessible OneDrive documents, including dozens of thousands of PDF and Word files, spreadsheets, media files, and executable binaries. A similar scan of 100,000,000 random seven-character bit.ly tokens yielded URLs to 1,105,146 publicly accessible OneDrive documents. We did not download their contents, but just from the metadata it is obvious that many of them contain private or sensitive information,”

–blog post, Vitaly Shmatikov, Cornell University

Now that’s a real bummer especially for ordinary users at home or businesses who are not aware of the implications. Many think that they can just provide the shortened URL link to their recipients and go on with their lives, forgetting to kill these links the as soon as their recipients get the package. Some of these open shares have write access so malicious attackers can dump anything into those folders including malware or even use them at their leisure for other purposes.

In the case of Google Maps, attackers can find out a person’s identity and even track their future activities through endpoints and driving directions. Does “I know where you live, and I know where you go” sound creepy to you?

“The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a Planned Parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom,”

–Vitaly Shmatikov

As a result, both Microsoft and Google disabled these services until they find a better way. Like maybe increasing the number of characters in the shortened links. If you still URL shortening services essential, just be sure to kill the links as soon as possible.

Click to add a comment
Tech News
@movietvtechgeek

Our technology expert who knows a thing or two about the future, superheroes and Supernatural.

More in Tech News

apple vs qualcomm $1b patent fight lawsuit 2017 images

Apple vs Qualcomm in $1 billion patent fight lawsuit

Jeffrey LangJanuary 21, 2017
net neutrality donald trump eyes ajit pai for fcc 2017 images

Net Neutrality: Donald Trump eyes Ajit Pai for FCC

MTTG StaffJanuary 21, 2017
gaming weekly scalebound dead final fantasy 15 plus nintendo switch 2017 images

Gaming Weekly: Scalebound dead, Final Fantasy 15 plus Nintendo Switch

Max SmithJanuary 19, 2017
forward heathcare apple store meets doctors office 2017 images

Forward healthcare solution: Apple Store meets doctors office

Jeffrey LangJanuary 17, 2017
gaming weekly injustice 2, andromeda releases plus unchartered 4 2017 images

Gaming Weekly: ‘Injustice 2,’ ‘Andromeda’ releases plus ‘Unchartered 4’

Max SmithJanuary 15, 2017
gaming weekly assassins creed bombs and devils third closes 2017 images

Gaming Weekly: ‘Assassin’s Creed’ bombs and ‘Devil’s Third’ closes

Curt JohnsonJanuary 15, 2017
smart health sensors coming next 2017 images

Smart health sensors coming next

Jackie WarnerJanuary 14, 2017
facebook gets serious with journalism project 2017 images

Facebook gets serious with ‘Journalism Project’

Jeffrey LangJanuary 13, 2017
nintendo switch debut gets gamers excited for march 2017 images

Nintendo Switch debut gets gamers excited for March

Jeffrey LangJanuary 13, 2017

Subscribe to our Daily Newsletter

You will only receive one per day. You'll also get a free THE WALKING DEAD graphic novel with your subscription