Due to the predictable structure generated by Bit.ly (used by Microsoft in its OneDrive cloud storage app), the duo found that it was easy to find the full URL for one file, and subsequently find the user’s other files. This meant that the researchers were able to access some files that contained sensitive information. Worse yet, a small proportion of these files were write-enabled, which would allow hackers to infect files with malware and viruses relatively easily.
In terms of Google’s links (which were used in Google Maps), Shmatikov and Georgiev found that they could determine users’ locations and destinations, all by scanning the shortened URLs with five-character tokens.
Luckily, since being alerted by the Cornell researchers of the issue, both Microsoft and Google have fixed the underlying problem with their shorteners. There are now 11 to 12 character tokens in Google Maps links, and the company has also added security measures to protect against URL scanning. While TheNextWeb reports that “Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service,” it has since disabled the ability to shorten links in OneDrive.
So what’s to be done to help improve shortener security? Shmatikov and Georgiev have offered a few tips:
- Use your own resolver and tokens, not bit.ly.
- Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners.
- Design better APIs so that leakage of a single URL does not compromise every shared URL in the account.
