Skip to main content

URL shorteners may be compromising link security

how to download torrents man downloading on computer with coffee
They may save you some real estate in that tweet, Facebook post, or text, but URL shorteners aren’t doing you any favors when it comes to security. According to new research from Cornell Tech, bit.ly and goo.gl can actually allow hackers to gain access to your personal data. Scientists Vitaly Shmatikov and Martin Georgiev conducted an 18-month study of both Microsoft and Google’s shortening method, and found that there were rather severe security flaws in both companies’ practices.

Due to the predictable structure generated by Bit.ly (used by Microsoft in its OneDrive cloud storage app), the duo found that it was easy to find the full URL for one file, and subsequently find the user’s other files. This meant that the researchers were able to access some files that contained sensitive information. Worse yet, a small proportion of these files were write-enabled, which would allow hackers to infect files with malware and viruses relatively easily.

Related Videos

In terms of Google’s links (which were used in Google Maps), Shmatikov and Georgiev found that they could determine users’ locations and destinations, all by scanning the shortened URLs with five-character tokens.

Luckily, since being alerted by the Cornell researchers of the issue, both Microsoft and Google have fixed the underlying problem with their shorteners. There are now 11 to 12 character tokens in Google Maps links, and the company has also added security measures to protect against URL scanning. While TheNextWeb reports that “Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service,” it has since disabled the ability to shorten links in OneDrive. 

So what’s to be done to help improve shortener security? Shmatikov and Georgiev have offered a few tips:

  • Use your own resolver and tokens, not bit.ly.
  • Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners.
  • Design better APIs so that leakage of a single URL does not compromise every shared URL in the account.

Editors' Recommendations

Bing Image Creator brings DALL-E AI-generated images to your browser
Bing Image Creator being used in the Edge sidebar.

Microsoft isn't slowing down its momentum in generative AI. Just a month since it launched the ChatGPT-based Bing Chat, the company is now introducing Bing Image Creator, which brings text-to-image generation right to your browser.

Bing Image Creator lets you create images from text using DALL-E, which is OpenAI's own text-to-image AI model. Microsoft says it's using "an advanced" version of DALL-E, though the company didn't provide specifics about how it was different than the current DALL-E 2 model. This isn't dissimilar, though, to how Bing Chat was announced, which had been running on GPT-4 before the new model had even been announced.

Read more
The Windows 11 taskbar is getting an important new update
windows 11 taskbar third party app pinning

Microsoft is working on new experiences for Windows that will allow developers to enable pinning for third-party applications, as well as enable pinning to the Taskbar.

Microsoft recently announced the details of these upcoming functions in a blog post. This is the brand's attempt to universalize its pinning process across all apps used on Windows. In practice, it will be similar to how pinning works on the Edge browser, with the Windows 11 users being notified by the Action Center about a request for pinning to the Taskbar by the app in question.

Read more
NordPass adds passkey support to banish your weak passwords
password manager lifestyle image

Weak passwords can put your online accounts at risk, but password manager NordPass thinks it has the solution. The app has just added support for passkeys, giving you a far more secure way to keep all your important logins safe and sound.

Instead of a vulnerable password, passkeys work by using your biometric data as your login ‘fingerprint.’ For example, you could use the Touch ID button on a Mac or a facial recognition scanner on your smartphone to log in to your account. No typing required.

Read more