Site icon Panda Security Mediacenter

The danger of shortened links: exposed personal information

enlacesacortados_1Microblogging gives us the freedom to turn our thoughts or our status posts into conversations.  Social networks like Twitter have opened doors for this type of instant communication.  Even shorter than Twitter’s 140 characters is bit.Ly, an insanely popular platform for shrinking long URLs.  But as always, with Bitly’s effectiveness and convenience, comes great security risks.

Most of us are aware that these shortened links have the possibility of being dangerous because… we don’t really know what is behind “the link”.  All we see is a condensed URL (unless we click it).  We need to use a special service to see the original URL before “clicking” it. Browser extensions like Mozilla Firefox’s Unshorten.it (Mozilla Firefox) or Google Chrome’s LongURL were created to make this process easier.

 

Relying on shortened links can be dangerous

 

A recent study published by a group of researchers from the School of Technology at Cornell University in New York has demonstrated that the danger doesn’t only exist in the links themselves, but also, where-in-the-internet they might take you.  There also exists a possible threat to your private information stored in files on the Cloud. The bad guys have gained access to thousands of files in OneDrive, Google Drive and Google Maps from these shortened links.

 

The problem is that these reduced URLs are not only short but also very predictable. They all follow the same structure. It is extremely easy to see hundreds or thousands of possible variants, automatically and in a matter of seconds, by checking to see if the link is directed to a file in the cloud.

 

 

When links fall into the wrong hands

 

“OneDrive URLs have predictable structure.  From the URL to a single shared document (“seed”), one can construct the root URL and automatically traverse the account”, as explained in the study. Following this procedure, researchers have gained access to nearly a million and a half files, “including hundreds of thousands of PDFs and Word documents, spreadsheets, multimedia and executables”.

 

Once the appropriate links are discovered, an attacker could not only access sensitive information contained in the files, but they could also take advantage of the Cloud so they can infect devices like mobiles and desktops. “This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware.” This way of distributing malware is worrisome because it is both quick and effective.

 

Exit mobile version