Bypass URL or URL shorteners may be made to see the links you want to share on blogs and social networking into a neat and attractive. However, did you know that a URL shortener can pose a serious security risk?
Two researchers found that in a study done for 18 months. Vitaly Shmatikov of Cornell Tech along with Martin Georgiev stated his conclusion after conducting a study of shortening URLs used by Microsoft in the cloud storage applications in onedrive and Google Maps services.
What they found practically very scary. Both noted, Microsoft uses Bitly service to generate a short URL and connects to the user’s file onedrive. Besides shortening the URL is considered to have a predictable structure.
The information quoted from the pages of The Next Web, it’s easier for someone to see the files stored in onedrive and find other files that are shared by the same user.
Not only find the file, but also various other sensitive information. In addition, anyone who saw the fiel could inject malware and viruses in files with ease.
Meanwhile, when looking at a Google Maps link, Shmatikov and Georgiev said, they can scan the URL with token 5 characters and see where the location and the destination of the owner of the URL. Although the information is seemingly random and useless, considers both the destination address can be used to access data up to the family name and the person’s age.
Fortunately, URL-shortening methods used by the above two services have been changed after researchers warned Google and Microsoft about these findings. Shmatikov and Georgiev said, Google immediately responded and are now applying 11-12 token character on the Maps link her to avoid scanning URLs.
While Microsoft claimed that the decision to disable the link through onedrive condensation is not caused because the findings of the two researchers.
For that, they need to publish Shmatikov noted that shortening the link to the user via a file seems to have a bad impact.
Therefore, to make the data remains secure, Shmatikov and Greorgiev suggested for use in house resolver compared to services like Bitly to keep bots from scanning with CAPTCHA and develop robust APIs that do not reveal the whole file.