Skip to main content

URL shorteners may be compromising link security

They may save you some real estate in that tweet, Facebook post, or text, but URL shorteners aren’t doing you any favors when it comes to security. According to new research from Cornell Tech, bit.ly and goo.gl can actually allow hackers to gain access to your personal data. Scientists Vitaly Shmatikov and Martin Georgiev conducted an 18-month study of both Microsoft and Google’s shortening method, and found that there were rather severe security flaws in both companies’ practices.

Due to the predictable structure generated by Bit.ly (used by Microsoft in its OneDrive cloud storage app), the duo found that it was easy to find the full URL for one file, and subsequently find the user’s other files. This meant that the researchers were able to access some files that contained sensitive information. Worse yet, a small proportion of these files were write-enabled, which would allow hackers to infect files with malware and viruses relatively easily.

Recommended Videos

In terms of Google’s links (which were used in Google Maps), Shmatikov and Georgiev found that they could determine users’ locations and destinations, all by scanning the shortened URLs with five-character tokens.

Luckily, since being alerted by the Cornell researchers of the issue, both Microsoft and Google have fixed the underlying problem with their shorteners. There are now 11 to 12 character tokens in Google Maps links, and the company has also added security measures to protect against URL scanning. While TheNextWeb reports that “Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service,” it has since disabled the ability to shorten links in OneDrive. 

So what’s to be done to help improve shortener security? Shmatikov and Georgiev have offered a few tips:

  • Use your own resolver and tokens, not bit.ly.
  • Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners.
  • Design better APIs so that leakage of a single URL does not compromise every shared URL in the account.
Lulu Chang
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Why new antivirus software may have just installed itself on your PC
A person compares Bitdefender and Norton antivirus software pricing on a Windows PC.

Late last week, cybersecurity company Kaspersky started deleting its anti-malware software from computers located in the United States. As a replacement, the company automatically downloaded antivirus software from UltraAV instead.

If you use Kaspersky antivirus software, you may know the Russian company was added to the U.S. government's Entity List and subjected to a ban on sales and updates within the United States earlier this year. As a result, the company told BleepingComputer in July that it had decided to shut down its U.S. operations and lay off its American employees.

Read more
macOS Sequoia may be breaking important security tools
macOS Sequoia being introduced by Apple's Craig Federighi at the Worldwide Developers Conference (WWDC) 2024.

Apple released macOS Sequoia on Monday, but the update has broken the functionality for some networking and security tools from companies such as Microsoft, CrowdStrike, SentinelOne, and more, as Bleeping Computer reports. Affected users on Reddit are sharing their issues with security software such as ESET Endpoint Security and CrodStrike Falcon.

Other reported issues include firewalls causing packet corruptions, browser SSL failures, and the inability to use the "curl" or "get" commands. Users can fix the problem quickly by turning off the tools, which indicates an incompatibility issue with the network stack, but this is not the fix many may be looking for.

Read more
Don’t use your Windows PC without using these security settings
The Windows Security app in Windows 11.

Historically, Windows has had a bad reputation for security, and there are far more malware strains that target Windows than any other operating system out there -- largely due to the scale of PCs that exist in the world. With such a vast array of potential threats, it’s more important than ever to keep your Microsoft PC safe and protected.

But doing so doesn’t have to be difficult or expensive. In fact, you can start right now with just the computer you own, no extra software necessary. And if you do want to supplement your PC with some of the best Windows apps that will boost your security and privacy, you don’t need to pay a penny.

Read more