Search Box

Monday, April 25, 2016

"" URLs May Be Easily Hacked

Gone In Six Characters: Short URLs Considered Harmful for Cloud Services

Vitaly Shmatikov | April 14, 2016

TL;DR: short URLs produced by,, and similar services are so short that they can be scanned by brute force.  Our scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.  We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.
URL shorteners such as and perform a straightforward task: they turn long URLs into short ones, consisting of a domain name followed by a 5-, 6-, or 7-character token.  This simple convenience feature turns out to have an unintended consequence.  The tokens are so short that the entire set of URLs can be scanned by brute force.  The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.

"Fine-grained data associated with individual residential addresses can be used to infer interesting information about the residents. We conjecture that one of the most frequently occurring residential addresses in our sample is the residence of a geocaching enthusiast. He or she shared directions to hundreds of locations around Austin, Texas, as shown in the picture, many of them specified as GPS coordinates. We have been able to find some of these coordinates in a geocaching database." Source:

<more at; related articles and links: (Hacker cracks TinyURL rival, redirects millions of Twitter users. 'Single point of failure' in Cligs short URL service shunts 2.2 million addresses to blogger. June 16, 2009) and (StopTheHacker:The Curse of the URL Shorteners: How Safe Are They? February 19, 2010)>

No comments:

Post a Comment