Skip to main content
  1. Home
  2. Computing
  3. Web
  4. News

URL shorteners may be compromising link security

Add as a preferred source on Google

They may save you some real estate in that tweet, Facebook post, or text, but URL shorteners aren’t doing you any favors when it comes to security. According to new research from Cornell Tech, bit.ly and goo.gl can actually allow hackers to gain access to your personal data. Scientists Vitaly Shmatikov and Martin Georgiev conducted an 18-month study of both Microsoft and Google’s shortening method, and found that there were rather severe security flaws in both companies’ practices.

Due to the predictable structure generated by Bit.ly (used by Microsoft in its OneDrive cloud storage app), the duo found that it was easy to find the full URL for one file, and subsequently find the user’s other files. This meant that the researchers were able to access some files that contained sensitive information. Worse yet, a small proportion of these files were write-enabled, which would allow hackers to infect files with malware and viruses relatively easily.

Recommended Videos

In terms of Google’s links (which were used in Google Maps), Shmatikov and Georgiev found that they could determine users’ locations and destinations, all by scanning the shortened URLs with five-character tokens.

Luckily, since being alerted by the Cornell researchers of the issue, both Microsoft and Google have fixed the underlying problem with their shorteners. There are now 11 to 12 character tokens in Google Maps links, and the company has also added security measures to protect against URL scanning. While TheNextWeb reports that “Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service,” it has since disabled the ability to shorten links in OneDrive. 

So what’s to be done to help improve shortener security? Shmatikov and Georgiev have offered a few tips:

  • Use your own resolver and tokens, not bit.ly.
  • Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners.
  • Design better APIs so that leakage of a single URL does not compromise every shared URL in the account.
Lulu Chang
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
macOS clipboard app Maccy has a fake out there stealing passwords
PamStealer malware is disguising itself as Maccy to target Mac users
Depicting of the Maccy clipboard app for macOS on a laptop with letters inb the background.

A fake version of Maccy, a popular clipboard manager for macOS, is being used to deliver a newly discovered Mac malware strain called PamStealer. Researchers at Jamf say the malware impersonates the real open-source app, but its actual purpose is to steal data and capture a victim’s login password.

PamStealer arrives as a disk image containing an AppleScript file that impersonates Maccy. Once the user opens that file, macOS launches it in Script Editor, where the on-screen instructions tell them to press Command-R. To someone expecting a normal app installer, that may look like an odd setup step. In reality, that action runs hidden malware code and starts the attack.

Read more
A new technology teaching drones to feel pain could stop your self-driving car from harming itself
Drones first, autonomous cars next. A pain-sensing system that detects failure before it happens has real stakes for self-driving vehicles.
Transportation, Vehicle, Car

When you sprain your ankle in the middle of a run, your body sends a pain signal to your brain, forcing you to stop. Essentially, the ability to sense pain stops you from pushing through the injury and causing further self-harm.

Researchers at Delft University of Technology and Wageningen University have applied this exact concept to drones, giving them a digital equivalent of a nervous system that recognizes a faulty part and triggers a pain-like warning signal. What's even more interesting is that the technology could find use in self-driving cars.

Read more
Claude Fable 5 is leaving subscriptions, but maybe not for good
High demand is pushing Claude Fable 5 out of subscriptions for now
Claude Fable 5 and Claude Mythos 5 Official Render

Anthropic’s most advanced publicly available Claude model is still leaving standard subscription access after July 7, but the company is now trying to calm fears that the move is permanent.

Fable 5 recently returned to Claude after drawing scrutiny from the U.S. government. Anthropic said it would be included on Pro, Max, Team, and select Enterprise plans for up to 50% of weekly usage limits through July 7. After that date, the model is set to move to usage-credit billing, meaning users will pay for access outside their regular plan limits.

Read more