The use of some services can shorten long and confusing URLs or links. Still, Vitaly Shmatikov, professor of the Technical School of Cornell University (Cornell Tech), and independent researcher Martin Georgiev found in the course of their study how an attacker can gain access to your data from a cloud drive due to this modified URL.
Shortened links services let you replace a long URL with multiple simple and short parameters. As a rule, a short address begins with a service address, and unique token ends with a length of 5, 6, or 7 characters.
Shortened Links May Expose Your Personal Data
Shortened links generated by the services like bit.ly and goo.gl have special equipment through which you can cycle through all the short addresses and access the important information on the Web. For example, to obtain a base of 6-character tokens, service bit.ly will need about 100 million bit.ly URLs. According to the authors, the appropriate botnet data can be obtained daily.
Researchers have paid attention to mapping services and cloud storage during the work, such as Microsoft OneDrive and Google Maps. When you send links to folders, documents, or map services, offer users to generate short links.
After analyzing 42,229,055 short bit.ly addresses, the authors found 3003 links leading to documents and folders in OneDrive storage. Most of them turned out to be valid.
Thus, if the shortened URL is used to reference data from the cloud service, the outsider can get access to the information referred to that has never been published in open access. As noted by the experts, according to the information from this link, you can gain access to other files and folders of this account.
As a result of the scan, researchers found more than 227 thousand URLs. OneDrive publicly available documents, including thousands of files in PDF, Word, spreadsheets, media, and so on. Vitaly Shmatikov and Martin Georgiev noted that the analysis used only the metadata, where the files were not downloaded.
According to the experts, about 7% of open folders in OneDrive can be edited by anyone. This allows attackers to modify an existing or upload arbitrary content, including malicious software, which will automatically load the service on the user’s devices.
The researchers informed Microsoft about the problem. In March 2016, the company changed the algorithm for generating links, but old links remain operational and are still not protected.