Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Vulnerabilities In Microsoft's and Google's Short URL Services (arstechnica.com)

Posted by msmash on from the cool-urls-show-who-its-cool-creator-is dept.

An anonymous cites an article on Ars Technica: Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service (PDF) in search of content, because of how predictable and short those addresses are. Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps -- "branded" domains of the bit.ly domain shortening service. Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible. Google Maps has an embedded a tool that creates URLs with the goo.gl domain. Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. "We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)," Shmatikov wrote in a blog post today, "but we sampled enough to discover interesting information and draw important conclusions." One of those conclusions was that Microsoft's OneDrive shortened URLs were entirely too easy to traverse.

3 of 48 comments (clear)

  1. Re:Click it or, well, just click it by SumDog · · Score: 4, Informative

    The Google Maps URLs are nice because they contain the entire view you're seeing (including a place you have highlighted or directions). Those URLs get pretty massive and if you post them in a chat window, they tend to break (special characters and such). So I can see use cases there.

  2. Is there any expectation of security? by shawn2772 · · Score: 4, Informative

    The goo.gl shortener says, right below the URL entry field "All goo.gl URLs and click analytics are public and can be accessed by anyone". I always figured that it was obvious you shouldn't use this sort of service for any URL that needed to be kept secret, and didn't have some additional access control behind it.

  3. Yeah, credentials in the URI==doing it wrong by raymorris · · Score: 4, Informative

    > data protected by credentials included in the Web address

    You're doing it wrong.

    A web address, or URI, is a universal resource IDENTIFIER (or locator, for the older terminology). It specifies which data you wish to access. That's not the place for authentication to be.

    Sharing a long URL which includes your user name and password is stupid too.