Skip to main content

URL shorteners may be compromising link security

how to download torrents man downloading on computer with coffee
Image used with permission by copyright holder
They may save you some real estate in that tweet, Facebook post, or text, but URL shorteners aren’t doing you any favors when it comes to security. According to new research from Cornell Tech, bit.ly and goo.gl can actually allow hackers to gain access to your personal data. Scientists Vitaly Shmatikov and Martin Georgiev conducted an 18-month study of both Microsoft and Google’s shortening method, and found that there were rather severe security flaws in both companies’ practices.

Due to the predictable structure generated by Bit.ly (used by Microsoft in its OneDrive cloud storage app), the duo found that it was easy to find the full URL for one file, and subsequently find the user’s other files. This meant that the researchers were able to access some files that contained sensitive information. Worse yet, a small proportion of these files were write-enabled, which would allow hackers to infect files with malware and viruses relatively easily.

In terms of Google’s links (which were used in Google Maps), Shmatikov and Georgiev found that they could determine users’ locations and destinations, all by scanning the shortened URLs with five-character tokens.

Luckily, since being alerted by the Cornell researchers of the issue, both Microsoft and Google have fixed the underlying problem with their shorteners. There are now 11 to 12 character tokens in Google Maps links, and the company has also added security measures to protect against URL scanning. While TheNextWeb reports that “Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service,” it has since disabled the ability to shorten links in OneDrive. 

So what’s to be done to help improve shortener security? Shmatikov and Georgiev have offered a few tips:

  • Use your own resolver and tokens, not bit.ly.
  • Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners.
  • Design better APIs so that leakage of a single URL does not compromise every shared URL in the account.

Editors' Recommendations

Lulu Chang
Former Digital Trends Contributor
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Google just made this vital Gmail security tool completely free
The top corner of Gmail on a laptop screen.

Hackers are constantly trying to break into large websites to steal user databases, and it’s not entirely unlikely that your own login details have been leaked at some point in the past. In cases like that, upgrading your password is vital, but how can you do that if you don’t even know your data has been hacked?

Well, Google thinks it has the answer because it has just announced that it will roll out dark web monitoring reports to every Gmail user in the U.S. This handy feature was previously limited to paid Google One subscribers, but the company revealed at its Google I/O event that it will now be available to everyone, free of charge.

Read more
Western Digital comes clean about massive security breach
western digital wd black d30 game drive 1 tb deal best buy march 2023

The popular PC storage manufacturer, Western Digital, has confirmed that it experienced a network security breach earlier this year, in which an unauthorized third party gained control of several of its systems.

The incident took place on March 26, 2023, but was immediately addressed by the manufacturer, with Western Digital reporting the breach bringing in top security experts to launch an investigation, which is currently ongoing, the company said in a statement.

Read more
A new WordPress bug may have left 2 million sites vulnerable
wordpress vulnerability version 472 plug in

A flaw in two WordPress custom plug-ins leaves users vulnerable to cross-site scripting attacks (XSS), according to a recent report.

Patchstack researcher Rafie Muhammad recently discovered an XSS flaw in the Advanced Custom Fields and Advanced Custom Fields Pro plug-ins, which are actively installed by over 2 million users worldwide, according to Bleeping Computer.

Read more