Sometimes URL’s can be long, hard to type and impossible to remember. They can take up a few lines in an email, or too long to send via Twitter. So for convenience to the user there are services that shorten URL’s for us (example: bit.ly). And typically anything online that is used for convenience can be thought of as a security vulnerability.
What these services do is generate a random 6 or 7 character string that could look something like this: bit.ly/abc123xyz}. The problem is that computers these days can easily be programmed to generate such random strings of characters and try out each one as a web address until it gets a hit. A shortened URL to a Youtube video is of no use to a hacker, but a shortened link to a document on cloud services like Google Drive or Microsoft’s One Drive, which are public databases, could be useful.
Google and Microsoft even offer URL shortening services on these applications. Online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. One hit to these cloud resources could then lead to other important documents being revealed.
Any document shared on a cloud service is effectively public. As well as this, a majority of files on cloud services are writable allowing an attacker to insert malicious content such as a Microsoft Word macro virus.
By lengthening URL’s with just two or three more characters, this can make it millions of times harder for a hacker to get a hit. Many users happily accept shortened URL’s, but the offer should come with a warning that the choice might have a downside. Also cloud services should change their systems so it is no longer possible for an intruder to go from one discovered file to all the other files belonging to the same account.
Sharing a link to cloud-based documents can be safe, but only if proper precautions are taken, like having access control and requiring users to authenticate before accessing the document.
By QuBits
May 26th 2016
Linux Security Blog 