Anyone who’s used a link shortener has probably considered their vulnerability. It’s no big deal when you’re just bookmarking a blog post, but a little more troubling when you’re shortening directions to your house. If you’ve ever punched in the wrong bit.ly link, you may have inadvertently spied on someone already.
Researchers at Cornell Tech have a paper out today on some of the privacy concerns around link shorteners, explicitly the ones generated by Google and Microsoft using bit.ly’s shortening tool. Links to sometimes-sensitive documents at Google Maps and Microsoft’s OneDrive were shortened into six-character URLs, which means anyone could stumble upon those links by randomly exploring those character combinations.
Andy Greenberg examines the implications of this over at Wired:
The researchers’ work demonstrates the unexpected privacy-invasive potential of “brute-forcing” shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.
Yowzers. Even more frightening is the paper’s scenario where a hypothetical “determined nerd” could both access and exploit millions of bit.ly links.
Should you still use link shorteners? Well, probably never for anything sensitive or proprietary. It’s telling that when Cornell showed their work to Google and Microsoft, Google responded right away with stronger shortened links, while Microsoft did away with shortened URLs entirely. But the final verdict shouldn’t surprise you: “Longer is better.”
Head over to Wired to read the whole story, including the study itself.