A group of researchers from Cornell University have discovered a way of reverse engineering shortened URLs to perform a multitude of actions; including spreading malware and stealing personal information. All this on a system that was designed to conceal information to prevent this from happening.
The researchers had original tested their theory of simply using brute force against shortened URLs to see what they could access. Essentially, they simply changed the six-characters at the end of shortened URLs like Bit.ly until they found something they could modify. In this case, the vulnerability lay with Microsoft’s OneDrive.
About seven percent of the tested shortened URLs resulted in a OneDrive file that could be edited in some way. It doesn’t sound like much, but the weakness could make it easy for cybercriminals to inject malware into private documents without the knowledge of the owner.
The researchers also applied their method to Google Maps and turned up location and navigation data of users. The hit chance was slightly higher for Google Maps related attempts, with 10-percent of the 230 million tested URLs turning up visible results like “clinics for specific diseases (including cancer and mental illnesses), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, [and] gentlemen’s clubs.”
More often than not, these locations would also reveal a residential address. The researchers claim that the mapping information could be used to discover other information about an individual.
The problem is not just limited to Google Maps, but also extends to other mapping services like Mapquest, Bing Maps, and Yahoo! Maps.
At the moment, both Google and Microsoft have taken steps to mitigate the problem with shortened URLs. Google has increased the number of randomised characters used from six to twelve; while Microsoft has simply disabled the option of sharing files through shortened URLs.
That being said, the study only shows the danger in using URL shorteners to share private links. The researchers warn that the public needs to be more aware about what is involved with shortening URLs; and that anonymity is not really a defence on the internet.