Shortened URLs have been available for well over a decade now, with the first major shortener service (TinyURL) having launched all the way back in 2002. Why shorten a URL? There are a few good reasons to do so:
- Some URLs are extremely long and ungainly, which can make them hard to view on a page (e.g., in a list of sources at the end of a paper) or type if copy/paste is not available. The dashes, slashes and commas can quickly pile up.
- Platforms such as Twitter have strict character limits that can be quickly eaten up by extended URLs. A truncated URL refers to the same resource but takes far fewer characters to do so.
Indeed, Twitter was critical to the mainstream popularity of shortened URLs, especially ones done through bit.ly, which had been accessed more than 2 billion times by the end of 2009. Competitors such as goo.gl (from Google) and t.co (from Twitter itself; all links posted to Twitter now pass through this service) arose shortly thereafter.
One of the new frontiers for URL shorteners is cloud computing platforms such as Microsoft OneDrive and geolocation services like Google Maps. Shortened URLs offer the benefits outlined above as well as some degree of privacy and opacity.
Whereas many full URLs are to some degree descriptive of the resource they lead to, shortened ones are seemingly random characters that wouldn’t look much different whether the destination was a sensitive cloud-stored spreadsheet or a Google Maps route to a local pharmacy. But are they really that safe for their users?
Old and new cyber security risks with shortened URLs
The opacity of shortened URLs has been an issue in the past, as Trend Micro’s Rik Ferguson pointed out in a blog post. Since the URL structure doesn’t offer any description, it can be hard to tell if the link leads to a legitimate site. Truncated URLs can obfuscate the destination and be a mask for a phishing scam, as Ferguson pointed out.
Several similar situations have emerged since then:
- In 2010, malware was discovered by Trend Micro researchers, who found that it used shortened URLs to spam instant messaging services such as Yahoo! Instant Messenger and the now-defunct MSN.
- In 2012, a Skype worm spread quickly through the use of a shortened URL that led to a compromised file that, when executed, could enlist a PC into a botnet.
- In 2014, a particular shortened goo.gl URL got a huge number of clicks from people receiving a fraudulent “ACH Notification” email; the link led to a malware-laced ZIP file.
We should note that shortened URLs aren’t the problem so much as the actual ransomware, spyware and other malware that is being created to take advantage of vulnerable systems. However, URL shortening services are enablers, or perhaps weak links (pun intended) in the security chain. It’s not just the lack of transparency, but the actual shortness that is increasingly an issue.
Brute-forcing shortened URLs to cloud services
More than a year ago, researchers at Cornell Tech noticed that OneDrive and Google Maps sometimes generated bit.ly links that only contained six random characters. This means that the total number of possible combinations is only slightly more than 2 billion – not doable for a person trying to guess all of them, but well within the capabilities of a powerful set of CPUs.
“With a decent number of machines you can scan the entire space,” Cornell Tech computer scientist Vitaly Shmatikov told WIRED. “You just randomly generate the URLs and see what’s behind them.”
Many of these links are intended for private use only – for example, as the way to get to a personal document stored in the cloud –but they are not in effect private. The team of researchers generated millions of possible bit.ly URLs for OneDrive and discovered that they had access to thousands of live files.
Moreover, with small tweaks to the full URL (revealed after the pages loaded), they could find more info about the files or accounts in question. Some of the assets were even publicly editable. Another risk of this easy path into a cloud platform is the ability to spread malware at great speed and tremendous scale.
Cloud services such as OneDrive offer tight synchronization across multiple platforms. You can change a file on your phone, and those changes will be reflected on your PC or tablet, often instantaneously. This means that a compromised file uploaded to a cloud account could move quickly to someone’s PC, even into their file system possibly since a lot of services offer desktop sync.
With mapping services (not just Google Maps, but also Mapquest and others), shortened URLs can be especially incriminating. They may reveal actual directions with starting and ending locations, potentially allowing identity theft through the discovery of someone’s home address and phone number.
Protecting against shortened URL scams
How can users of cloud, mapping and email services best guard against shortened URLs? Some of it is out of their control, for sure; service providers should use longer links that are harder to brute-force, and to their credit some have already taken this approach.
Beyond that, they can take steps such as:
- Being careful when receiving any unusual email containing a shortened URL. With some services like goo.gl, the short URL can be modified by adding /info/ at the end to go to the corresponding Google Analytics page and see what lies beneath.
- Always being cautious about downloading .zip and similar file types from unfamiliar sources. Use antivirus software and other defensive mechanisms to vet the files on your system for embedded malware.
- If you work for an enterprise, protecting your network with a security service that provides real-time analysis of threats to proactively protect your assets using cloud-based security infrastructure.
Always watch out for these shortened URLs. Awareness about current threats can help businesses secure their cloud assets.