Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Vulnerabilities In Microsoft's and Google's Short URL Services (arstechnica.com)

Posted by msmash on from the cool-urls-show-who-its-cool-creator-is dept.

An anonymous cites an article on Ars Technica: Two security researchers have published research exposing the potential privacy problems connected to using Web address shortening services. When used to share data protected by credentials included in the Web address associated with the content, these services could allow an attacker to gain access to data simply by searching through the entire address space for a URL-shortening service (PDF) in search of content, because of how predictable and short those addresses are. Both Microsoft and Google have offered URL shortening services embedded in various cloud services. Microsoft included the 1drv.ms URL shortening service in its OneDrive cloud storage service and a similar service (binged.it) for Bing Maps -- "branded" domains of the bit.ly domain shortening service. Microsoft has stopped offering the OneDrive embedded shortener, but existing URLs are still accessible. Google Maps has an embedded a tool that creates URLs with the goo.gl domain. Vitaly Shmatikov of Cornell Tech and visiting researcher Martin Georgiev conducted an 18-month study in which they focused on OneDrive and Google Maps. "We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary)," Shmatikov wrote in a blog post today, "but we sampled enough to discover interesting information and draw important conclusions." One of those conclusions was that Microsoft's OneDrive shortened URLs were entirely too easy to traverse.

2 of 48 comments (clear)

  1. Rinse and reuse by xxxJonBoyxxx · · Score: 4, Insightful

    "Researchers Find Privacy Problems In Microsoft's and Google's [Variable] Services" could pretty much be a headline any day...by design.

  2. Not a URL shortening vulnerability by Anonymous Coward · · Score: 5, Insightful

    If you want information to be private, require authentication to access it. The real problem here is that files are shared in the cloud allowing read and, sometimes, write access without requiring authentication. The default needs to be requiring authentication and then prompting the user if they want to change the permissions. Otherwise, you're relying on security through obscurity, which isn't security at all. It's too easy for URLs to end up being found through things like the clipboard and the browser history that nobody should expect them to remain secret. Don't rely on security through obscurity. It doesn't work.