Watch out! URL shorteners could leak sensitive content

Two security researchers from Cornell Tech discovered that web URL shorteners operate in predictable way exposing sensitive data.

The security researchers Vitaly Shmatikov and Martin Georgiev from Cornell Tech discovered that web URL shorteners operate in predictable way, and this could result in the disclosure of sensitive information.

The duo analyzed the most popular URL shorteners, including the services implemented by Google, Bit.ly and Microsoft and discovered that attackers can enumerate short URLs to find a sensitive information available on the web. The researchers, for example, discovered short URLs pointing Microsoft OneDrive folders that are unlocked.

“short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force.  Our scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.” Shmatikov in a blog post. 

The experts also discovered that URL shorteners can reveal information that could allow to profile users.

“We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.” 

The details of their analysis are included in a paper titled “Gone in Six Characters: Short URLs Considered Harmful for Cloud Services.”

Google and Microsoft have pushed introduced fixes to secure new shortened URL links, anyway old links remain vulnerable.

The researchers explained that shortened URLS are generated in a predictable way by combining domain names and a sequence composed of five- to seven-character. The result is a short URL, but its brevity and the knowledge of the generation mechanism introduces the basic vulnerabilities that could allow attackers to launch brute force attacks.

“The tokens are so short that the entire set of URLs can be scanned by brute force.  The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.” explained Shmatikov “

The scan of 100 million URLs allowed the experts to discovere more than 1.1 million publicly accessible OneDrive documents including documents and executables.

“In our sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42% resolved to actual URLs.  Of those, 19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.  But this is just the beginning.”

The random scan of Google-shortened URLs allowed the identification of 23,965,718 links, 10 per cent of them containing driving directions to sensitive locations including disease, abortion clinics, and strip clubs.

The duo demonstrated that shortening URL may expose sensitive content to third parties. The experts suggest the adoption of measures to limit automated scanning activities.

“Use your own resolver and tokens, not bit.ly. Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners. Finally, design better APIs so that leakage of a single URL does not compromise every shared URL in the account.” states the duo.

[adrotate banner=”9”]

Pierluigi Paganini

(Security Affairs – URL shorteners,  hacking)