Are Shortened Links Compromising Your Security?

Dann Albright 20-04-2016

URL shorteners Try Out 10 Different URL Shorteners That Give You Addon Benefits Just how differently can you shorten a uniform resource locator? Well, the shortening system is pretty much a run-of-the-mill job, but the trick seems to be in the extras that come with the shortening service.... Read More like,, tinyurl, and are great for making it easier to share links; you don’t have to paste a really long, ugly URL into a chat window or an email to help someone find their way to the page you want them to get to. But a recent study showed that this convenience could come with a significant cost to your security.


The Study

Over the course of 18 months, two researchers at Cornell Tech looked at the shortened URLs created by two different services: Microsoft OneDrive and Google Maps. Both services create shortened links for sharing webpages (OneDrive uses them to share access to documents, and Google Maps uses them to share directions or locations).

Because of the small number of characters used in these shortened links, the researchers were able to use a brute force attack to find shortened URLs that linked to actual documents. The researchers analyzed 100,000,000 URLs with randomly chosen six-character tokens ( like “1maQ2JZ”). 42% of all of the tokens resolved to actual full URLs, and almost 19,500 of those led to OneDrive documents.


The researchers also found almost 24,000,000 live links when scanning the five-character tokens previously used by, about 10% of which were for driving directions.

Getting access to OneDrive documents and Google Maps directions is bad enough, but the researchers discovered that they could do even more with the information they recovered from those links. For example, by analyzing the standard structure of OneDrive URLs, they were able to navigate and gain access to a number of OneDrive accounts, many of which they found were actually writable, meaning they could change files or upload malware that would be automatically downloaded to the owner’s computer.



And with Google Maps, the researchers discovered a lot of information that people would probably want to keep private. By looking at residential addresses, they could make educated guesses as to which households included a person who went to specialist clinics for medical treatment, addiction treatment centers, strip clubs, and abortion providers. It’s been shown that location information is very valuable What Can Government Security Agencies Tell From Your Phone's Metadata? Read More in gaining identifying information for individuals, and that information combined with a sort of abbreviated travel history could be very useful to identity thieves.


If you want to see the full published article, you can check it out at arXiv, and one of the researchers also published a blog post with a useful summary.


Changes Made

The Cornell Tech researchers shared their results with Microsoft and Google, and both companies have taken steps to decrease the likelihood that their users could be compromised by shortened URLs.

URL shortening was removed from the OneDrive interface, and the method used to gain more information about the user’s account no longer works (despite Microsoft’s denial that their changes had anything to do with this report or that the study even revealed a security vulnerability). Old shortened links, however, remain vulnerable.


Google Maps now uses 11- and 12-character tokens instead of the five-character ones offered before, making it significantly harder to reveal them with a brute force attack. Google also made it more difficult for vast numbers of URLs to be scanned at once.


Stay Careful

Even though these two services have taken steps to mitigate the threat, the possibility of more vulnerabilities in the link-shortening process will likely be found sometime in the future (more and more powerful computers Quantum Computers: The End of Cryptography? Quantum computing as an idea has been around for a while - the theoretical possibility was originally introduced in 1982. Over the last few years, the field has been edging closer to practicality. Read More will certainly help). When I recently checked to see if popular shortening services were using small numbers of characters in their tokens, both and tinyurl had six-character tokens, and used seven.


While both are better than Google’s previous five, it’s still worrying that people could be sending access to important files or personal information this way. The Cornell Tech researchers demonstrated that a simple brute-force scan of these URLs can reveal a surprising amount of information on specific users, including a few of the most important pieces of information for identity theft 10 Pieces of Information That Are Used to Steal Your Identity Identity theft can be costly. Here are the 10 pieces of information you need to protect so your identity isn't stolen. Read More .

So what should you do? To be totally safe, just don’t use URL shorteners for anything that could be valuable to a hacker, identity thief, or other miscreant. Shorteners are really useful, but most of the time, a long URL will work just fine. It’s big, ugly, and takes up a lot of space in an email or chat window, but it’s also a lot safer.



Also, be aware that many other services offer URL shortening, and you may want to be careful with those as well. How each of those services handle permissions with shortened URLs is likely to differ, but if you accidentally gave away access to a Flickr, Google Photos, Google Drive, Twitter, Facebook, or other post, it’s hard to know what will happen.

If you’re given the choice to shorten a URL with a token that’s longer than six or seven characters, you should take it. The researchers said in their paper that the 11- and 12-character tokens used by Google Maps are not brute-forceable (at least with current technology and a reasonable amount of effort), so aiming for at least 10 is probably a good idea.

Or just make your own URL shortener The Advantages of Setting Up Your Own URL Shortener and How to Do It In a world of 140 characters, and short attention spans, you need to get as much text as possible in your Twitter status, if you are going to effectively get your message across. Read More and make sure that it uses enough characters in its URL tokens!

Do You Use URL Shorteners?

Shortening services seem to be on the rise in popularity, with new services popping up regularly. Twitter’s 140-character limit and the difficulty of working with long strings of text on mobile devices URL Shortener Is The Swiss Knife Of Link Sharing And Saving On Android What sets URL Shortener apart is how easy it makes it for you to save links, copy them to a clipboard, or share them directly from a menu. Read More have likely contributed to their usefulness, and the ability to send a link in a much more viewer-friendly format is certainly appealing. There’s no arguing that they’re very convenient, but the convenience may not be worth the risk.

Do you use a URL shortening service? Which one do you use? Do you use it for sensitive documents, or just for publicly accessible links? Are you now worried about the security of your links? Share your thoughts below!

Image credits: Georgiev and Shmatikov via arXiv.

Related topics: Online Security, URL Shortener.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *