Date:18/04/16
For anyone with minimalist tastes or an inability to use copy-paste keyboard shortcuts, URL shorteners may seem like a perfectly helpful convenience. Unfortunately, the same tools that turn long web addresses into a few characters also offer the same conveniences to hackers—including any of them motivated enough to try millions of shortened URLs until they hit on the one you thought was private.
That’s the lesson for companies including Google, Microsoft, and Bit.ly in a paper published by researchers at Cornell Tech. The researchers’ work demonstrates the unexpected privacy-invasive potential of "brute-forcing" shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.
The Cornell Tech researchers’ work began more than a year and a half ago when they noticed that certain Google and Microsoft services—namely Microsoft OneDrive and Google Maps—used Bit.ly’s URL shortening service to generate web addresses with only six seemingly random characters. That’s few enough that a determined nerd could use software to automatically generate, visit and analyze all of the millions of possible shortened URLs, or at least a significant fraction of them. "With a decent number of machines you can scan the entire space," says Cornell Tech computer scientist Vitaly Shmatikov. "You just randomly generate the URLs and see what’s behind them."
Despite that simple method to discover the shortened URLs, both Google and Microsoft still treated some of those addresses as relatively private—or at least, private enough to assume that only the creator of the link or someone they directly shared it with would ever access it. But in fact, the researchers write, "online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities."
Short URLs a big problem for cloud collaboration, stored data
For anyone with minimalist tastes or an inability to use copy-paste keyboard shortcuts, URL shorteners may seem like a perfectly helpful convenience. Unfortunately, the same tools that turn long web addresses into a few characters also offer the same conveniences to hackers—including any of them motivated enough to try millions of shortened URLs until they hit on the one you thought was private.That’s the lesson for companies including Google, Microsoft, and Bit.ly in a paper published by researchers at Cornell Tech. The researchers’ work demonstrates the unexpected privacy-invasive potential of "brute-forcing" shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.
The Cornell Tech researchers’ work began more than a year and a half ago when they noticed that certain Google and Microsoft services—namely Microsoft OneDrive and Google Maps—used Bit.ly’s URL shortening service to generate web addresses with only six seemingly random characters. That’s few enough that a determined nerd could use software to automatically generate, visit and analyze all of the millions of possible shortened URLs, or at least a significant fraction of them. "With a decent number of machines you can scan the entire space," says Cornell Tech computer scientist Vitaly Shmatikov. "You just randomly generate the URLs and see what’s behind them."
Despite that simple method to discover the shortened URLs, both Google and Microsoft still treated some of those addresses as relatively private—or at least, private enough to assume that only the creator of the link or someone they directly shared it with would ever access it. But in fact, the researchers write, "online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities."
Views: 539
©ictnews.az. All rights reserved.
Similar news
- Cellphone Use May Raise Cancer Risk
- Australian police pushes cyber safety education
- Vietnam aims to lead in e-government
- Senate Website Gets Hacked
- US builds net for cyber war games
- Japan enacts anti-computer virus law
- India passes law vs e-waste
- Anonymous Declares War On The City Of Orlando
- Microsoft highlights evolving dangers as online identity data proliferates
- Consumers want internet security to be provided by banks
- Government facilities targets of cyber attack
- South Korean web attacks might been war drill
- Sri Lanka to Establish National Passport Database to Increase Border Security
- Hi-tech crime agencies set to employ information security professionals
- Phone hacking and online campaign bring down the News of the World
