‘Older shortened URLs Google and Microsoft susceptible to abuse’

Spread the love

Using ‘brute force’ it is possible to convert shortened URLs to private URLs, researchers at Cornell Tech University in the United States have discovered. The researchers looked at shortened Google Maps, Microsoft OneDrive and Bit.ly addresses, among other things.

The way to guess the URLs is simple; shortened urls up to six characters are guessed until a working one is found. That way, the researchers could have spread malware through tricks, Wired writes. They could have done this via, for example, Microsoft’s OneDrive. They could also have found out who on Google Maps was behind the requested routes to, for example, an abortion clinic or addiction care. After the investigation, but before publication, the researchers notified Microsoft and Google. Google has increased the character count on Maps to 11 or 12 since September 15, and Microsoft has disabled the service altogether. However, old shortened URLs for OneDrive are still accessible.

The researchers got the idea to do the study after learning that certain Google and Microsoft services were using Bit.ly’s URL shortener to generate URLs of only six seemingly random characters. That number is so small that it is relatively easy to randomly generate URLs, visit and analyze them. One of the researchers tells Wired that it is already possible with a small number of machines to scan the entire address space and see what is behind the URLs.

The main problem was that Google and Microsoft used the service to generate shortened URLs leading to semi-private documentation. In the case of Microsoft, the researchers generated 71 million URLs, of which 24,000 were live. About seven percent of the Drive files or directories visited were found to be modified by the researchers. That way, malicious files could have been added to directories. If those were then synced to a local PC, it would be a way to spread malware.

At Google Maps, ten percent of the 23 million generated URLs could be traced back to a location or directions. More than 16,000 of the routes led to a hospital. Other mapping services exhibited the same problems, but on a much smaller scale.

You might also like
Exit mobile version