Helping people share more links to online documents or articles in social networks and on Web sites, platforms such as Microsoft OneDrive and Google Maps integrate URL shorteners that convert long URLs into short ones. A university study found that those shortened URLs can lead to serious security issues by enabling hackers to track people and steal information.
Cornell Tech's Martin Georgiev and Vitaly Shmatikov on Thursday published the results of an 18-month study that found the five- or six-character tokens added to domains such as 1drv.ms or goo.gl are so short that the URLs can be scanned "using brute-force search" by anyone with patience and a few computers.
In the case of online maps, the researchers show how short-URL enumeration reveals the directions that users shared with each other. For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited online and those that they intended to visit offline that, if publicly revealed, would violate medical privacy laws.
For cloud storage, the researchers focus on Microsoft OneDrive to show how to use short-URL to discover and read shared content stored in the OneDrive cloud, including files for which the user did not generate a short URL.
Some 7% of the OneDrive accounts exposed in this way allow anyone to write into documents that do not belong to them. Since cloud-stored files are automatically copied into a user's personal computer and devices, there is a potential for someone to inject malware into the files that would provide the ability to easily track someone online.
Tampering doesn't stop at Word documents or map files. It also includes creative assets belonging to brands. Can you imagine holding a creative advertising campaign hostage for a random, similar to the way some hackers lock files on personal computers to hold the files ransom until the owner pays? And while the researchers do not mention malware injections in advertisements, this is certainly another possibility.
The researchers for the paper note that they have contacted Google and Microsoft about the security risks, but acknowledge that solving the problem will not be easy, since short URLs are an integral part of many cloud services and previously shared information remains publicly accessible.