Two web security researchers recently published a study exposing the privacy problems related to using URL shorteners. Microsoft and Google already offer URL shortening services in many of their cloud services. The image above shows Google addresses found through short URLs associated with a single user in Austin, Texas.
When users share data protected by credentials inside the web address linked with their content, these services could allow an attacker to access their data simply by searching the address space for a URL-shortening service in search of content. This is all due to the predictability of these URLs because of how short these addresses are.
An example of a URL shortening services is Microsoft’s, 1drv.ms, in it’s OneDrive cloud storage services. Another is, binged.it, for Bing Maps domains of the, bit.ly, URL shortening service. Although Microsoft has discontinued their OneDrive embed shortener, some URLs that exist are still accessible.
Vitaly Shmatikov from Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study with a scope on OneDrive and Google Maps. One of their conclusions was Microsoft and OneDrive shortened URLs were just all around too accessible.
Despite the exploitive information provided by these researchers Microsoft won’t acknowledge short URLs as a security hole and stated that the changes made to the OneDrive were not correlated to the exploit. A PDF of Shmatikov’s and Georgiev’s study can be found here.
Source: ArsTechnica