URL shorteners may be exposing your private information

Discussion in 'other security issues & news' started by JRViejo, Apr 15, 2016.

  1. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,966
    Location:
    U.S.A.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi JR,

    Can I assume that if don't use any of those "services" that my own computer hard drive cannot be accessed using that brute force technique?

    ----
    rich
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,966
    Location:
    U.S.A.
    Rich, never assume anything; you know what that makes us. ;) OTH, given your expertise, your hard drive will not be messed with... unless you want it to be messed with. :D

    In all seriousness, their scope of testing was limited to Cloud Services, and Maps. It is reminiscent of using short password lengths, and how easily those can be revealed while being brute forced. The fact that short Google URLs went from 5 to 7 characters tokens to 11 and 12 immediately, plus Microsoft OneDrive stopping the URL shortening option (although prior posted tiny URLs are still vulnerable) all together, inform us how dangerous this shortening technique can be.

    Whenever we find a tiny URL, Wilders have been replacing them with their longer counterparts for the past 11 years, mainly because thread/post viewers should know where they are being asked to visit. This new revelation makes it imperative that we continue to do so.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    From what I understand the files which are being exposed are files hosted on file sharing services such as OneDrive and Google drive. Because the method for shortening URLs was to weak, the researchers could generate valid shortened URL's themselves and as such access random long URLs on which the files are 'hidden'.

    Imho most articles miss the point. The information was never private to begin with, the fact that you need to know a long URL in order to access it does not negate the fact that the files are publicly available on the internet.
    If you dig a hole in a public park and bury something secret there, it may be 'private' in the sense that people who don't know where you buried it probably won't find it, but anyone who stumbles across it by accident or starts digging holes everywhere to find it can still easily access it.
    So to use this example, the researchers knew lots of people buried their secrets in a park, so the researchers just started digging holes on random places and uncovered secrets.
    The weakness in URL shorteners only lowered the number of digging attempts they needed to do in order to find something.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes indeed!
    Well, I can't imagine creating a URL to access a file on my computer. The only time I've used shortened URLs is in emails where a long URL takes up 4-5 lines that may break in the recipient's email program.
    I've always appreciated that.

    thanks,

    ----
    rich
     
Loading...