Forum Moderators: phranque
The Cornell Tech researchers’ work began more than a year and a half ago when they noticed that certain Google and Microsoft services—namely Microsoft OneDrive and Google Maps—used Bit.ly’s URL shortening service to generate web addresses with only six seemingly random characters. That’s few enough that a determined nerd could use software to automatically generate, visit and analyze all of the millions of possible shortened URLs, or at least a significant fraction of them. “With a decent number of machines you can scan the entire space,” says Cornell Tech computer scientist Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.” Shortened URLs from Google and Microsoft Cracked By Researchers [wired.com]
“Our scan discovered a large number of Microsoft OneDrive accounts with private documents.
“Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.”
The pair says in their Gone in Six Characters: Short URLs Considered Harmful for Cloud Services [PDF] that they found driving directions which could reveal a user's home address, their hospital, trips to prisons, and adult establishments.
Shortened URLS are a combination of domain names and a combination five- to seven-character token; it is this brevity that introduces the basic vulnerabilities.
