Easy Way Out, Easy Way In
When sharing articles or links of articles via Twitter, there isn’t much left to say about it after pasting a long URL. Some URLs might not even fit in Twitter’s 144 character-limit, which personally, I wouldn’t want to change. That’s one of the things that make Twitter unique. But how to share overly-long links over Twitter and similarly-limited apps? URL Shortening services of course. They shorten very long URLs to just a few characters enabling people to describe the URL they just pasted or shared so that recipients don’t mistake the content as gibberish when seen on aging apps which don’t translate the URL into content headers. People also use URL shorteners to mask links to their networks or dubious origins of their links or simply for convenience when receiving clients don’t translate URLs to clickable links. These shortened URLs can then be easily re-typed or copy-pasted by recipients to their browsers.
Personally, I don’t trust shortened URLs unless they’re from a reliable source and neither should you. I don’t trust them because I don’t know where they point to. For all I know, they could instantly connect me to some site that will download malware straight to my computer. For example, you can’t tell if http://bit.ly/ytshd will point you to http://foobar.com/stuff or http://installmalware.rus/erase_your_os.
But they’re also use http://installmalware.rus/ erase_your_osul for personal or company security purposes. If you don’t want snoops knowing your company’s domain just by reading your URL http://mycompanyisrich.com/financialreports/login.srf you could send it to your colleagues as http://bit.ly/shrtlnk. It’s a small consolation since those snoops could just click the link anyway. It now turns out that URL shorteners have become unintended security leaks. If you’ve used URL shorteners to mask your actual URL and make it convenient to use to your recipient, for example, to share files from OneDrive or DropBox or to share GPS coordinates in Google Maps, then you’re in trouble.
As it is in passwords, the shorter your password, the easier it is to guess. The easier it is for some intruder to brute-force his way into whatever system you’re using it for. According to an Ars Technica report, the URLs given by URL shortening services are too short and easy to guess. There can only be so many combinations of such a short URL. Now, imagine if we switched a few letters and numbers around. We could probably fish for a live link intended for someone else. According to Ars Technica, a couple of researchers named Vitaly Shmatikov from Cornell University and Martin Georgiev did just that, but focused on URL shorteners from Microsoft‘s OneDrive and Google Maps.
“We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)… but we sampled enough to discover interesting information and draw important conclusions… OneDrive URLs have a predictable structure. From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account, discovering all files and folders shared under the same capability as the seed document or without a capability… The traversal-augmented scan yielded URLs to 227,276 publicly accessible OneDrive documents, including dozens of thousands of PDF and Word files, spreadsheets, media files, and executable binaries. A similar scan of 100,000,000 random seven-character bit.ly tokens yielded URLs to 1,105,146 publicly accessible OneDrive documents. We did not download their contents, but just from the metadata it is obvious that many of them contain private or sensitive information,”
–blog post, Vitaly Shmatikov, Cornell University
Now that’s a real bummer especially for ordinary users at home or businesses who are not aware of the implications. Many think that they can just provide the shortened URL link to their recipients and go on with their lives, forgetting to kill these links the as soon as their recipients get the package. Some of these open shares have write access so malicious attackers can dump anything into those folders including malware or even use them at their leisure for other purposes.
In the case of Google Maps, attackers can find out a person’s identity and even track their future activities through endpoints and driving directions. Does “I know where you live, and I know where you go” sound creepy to you?
“The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions. For instance, when analyzing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a Planned Parenthood facility. Conversely, by starting from a residential address and mapping all addresses appearing as the endpoints of the directions to and from the initial address, one can create a map of who visited whom,”
–Vitaly Shmatikov
As a result, both Microsoft and Google disabled these services until they find a better way. Like maybe increasing the number of characters in the shortened links. If you still URL shortening services essential, just be sure to kill the links as soon as possible.