For anyone with minimalist tastes or an inability to use copy-paste keyboard shortcuts, URL shorteners may seem like a perfectly helpful convenience. Unfortunately, the same tools that turn long web addresses into a few characters also offer the same conveniences to hackers—including any of them motivated enough to try millions of shortened URLs until they hit on the one you thought was private.
That’s the lesson for companies including Google, Microsoft, and Bit.ly in a paper published by researchers at Cornell Tech. The researchers’ work demonstrates the unexpected privacy-invasive potential of “brute-forcing” shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.
The Cornell Tech researchers’ work began more than a year and a half ago when they noticed that certain Google and Microsoft services—namely Microsoft OneDrive and Google Maps—used Bit.ly’s URL shortening service to generate web addresses with only six seemingly random characters. That’s few enough that a determined nerd could use software to automatically generate, visit and analyze all of the millions of possible shortened URLs, or at least a significant fraction of them. “With a decent number of machines you can scan the entire space,” says Cornell Tech computer scientist Vitaly Shmatikov. “You just randomly generate the URLs and see what’s behind them.”
Despite that simple method to discover the shortened URLs, both Google and Microsoft still treated some of those addresses as relatively private—or at least, private enough to assume that only the creator of the link or someone they directly shared it with would ever access it. But in fact, the researchers write, “online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities.”