Skip to main content

URL shorteners may be compromising link security

how to download torrents man downloading on computer with coffee
Image used with permission by copyright holder
They may save you some real estate in that tweet, Facebook post, or text, but URL shorteners aren’t doing you any favors when it comes to security. According to new research from Cornell Tech, bit.ly and goo.gl can actually allow hackers to gain access to your personal data. Scientists Vitaly Shmatikov and Martin Georgiev conducted an 18-month study of both Microsoft and Google’s shortening method, and found that there were rather severe security flaws in both companies’ practices.

Due to the predictable structure generated by Bit.ly (used by Microsoft in its OneDrive cloud storage app), the duo found that it was easy to find the full URL for one file, and subsequently find the user’s other files. This meant that the researchers were able to access some files that contained sensitive information. Worse yet, a small proportion of these files were write-enabled, which would allow hackers to infect files with malware and viruses relatively easily.

Recommended Videos

In terms of Google’s links (which were used in Google Maps), Shmatikov and Georgiev found that they could determine users’ locations and destinations, all by scanning the shortened URLs with five-character tokens.

Luckily, since being alerted by the Cornell researchers of the issue, both Microsoft and Google have fixed the underlying problem with their shorteners. There are now 11 to 12 character tokens in Google Maps links, and the company has also added security measures to protect against URL scanning. While TheNextWeb reports that “Microsoft didn’t take as kindly to the researchers pointing out the flaw in its service,” it has since disabled the ability to shorten links in OneDrive. 

So what’s to be done to help improve shortener security? Shmatikov and Georgiev have offered a few tips:

  • Use your own resolver and tokens, not bit.ly.
  • Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners.
  • Design better APIs so that leakage of a single URL does not compromise every shared URL in the account.
Lulu Chang
Former Digital Trends Contributor
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Texas airport to get a 420-pound security robot
Knightscope's K5 robot.

San Antonio International Airport in Texas is deploying a 420-pound autonomous robot to bolster its security operations.

The 5-foot-4-inch K5 robot, built by California-based Knightscope, will be rolled out in the next couple of months.

Read more
Windows may have a serious security problem on its hands
A finger pressing on a fingerprint reader on a laptop.

The premier sensors enabling Windows Hello fingerprint authentication are not as secure as manufacturers had hoped. Researchers have discovered security flaws in a number of fingerprint sensors used in several laptops that work with the Windows Hello authentication feature.

Security researchers at Blackwing Intelligence have uncovered that laptops made by Dell, Lenovo, and Microsoft can have their Windows Hello fingerprint authentication bypassed easily due to vulnerabilities in the sensors that can cause them to be taken over by bad actors at the system level.

Read more
Bing Chat just beat a security check to stop hackers and spammers
A depiction of a hacker breaking into a system via the use of code.

Bing Chat is no stranger to controversy -- in fact, sometimes it feels like there’s a never-ending stream of scandals surrounding it and tools like ChatGPT -- and now the artificial intelligence (AI) chatbot has found itself in hot water over its ability to defeat a common cybersecurity measure.

According to Denis Shiryaev, the CEO of AI startup Neural.love, chatbots like Bing Chat and ChatGPT can potentially be used to bypass a CAPTCHA code if you just ask them the right set of questions. If this turns out to be a widespread issue, it could have worrying implications for everyone’s online security.

Read more