Cornell Tech researchers have shown brute-force attacks against shortened uniform resource locators (URLs) can reveal the full Web addresses and enable hackers to spread malware on victims' computers via Microsoft's cloud storage service or learn who requested Google Maps directions.
The researchers' work is based on their discovery that Microsoft OneDrive and Google Maps employed Bit.ly's URL-shortening service to generate Web addresses with only six seemingly random characters, which gives hackers a basis for software for automatically generating, visiting, and analyzing all of the possible shortened URLs, or at least a significant portion.
"With a decent number of machines you can scan the entire space," says Cornell Tech's Vitaly Shmatikov. "You just randomly generate the URLs and see what's behind them."
The researchers also see a disconnect between Google and Microsoft's treatment of certain addresses as relatively private, and the reality that they are public and accessible to anyone. Shmatikov contends much of the exposed data they revealed is still live and vulnerable, and both companies and people must have more awareness of URL shortening's privacy ramifications.
"[Users] think they're sharing a document with a collaborator," he says. "But if you're sharing a six-character shortened URL, you're sharing it with the whole world."
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA
No entries found