We’ve all seen those huge URL’s, be it for a website or a document you have saved in the cloud, they just seem to go on and on with no sign of ever stopping. Then you spot the tiny URL they offer you instead, short and sweet with only a few letters and numbers to copy and paste before you can open your document anywhere you want. Why not use it? well for starters that small URL may be creating just as easy a path to spy on your data!
Research conducted by Martin Georgiev and Vitaly Shmatikov suggest that looking at the abbreviated “short URL’s” used by companies such as Google, Microsoft, and even bit.ly, a company dedicated to creating and sharing short URL addresses, revealed that using a simple trial and error method they were able to gain access to your cloud storage files.
In particular, Georgiev and Shmatikov were able to find and access files shared through Google Drive and Microsoft’s OneDrive with short URLs. If this wasn’t scary enough, someone could place malicious code in the files that had write permissions enabled, allowing them to infect and spread their effect all through one of your files stored in the cloud. Estimating that around 7 percent of the accounts on OneDrive and Google Drive they scanned were vulnerable to this flaw, it’s scary, to say the least.
More worrying may be companies differing responses to be being alerted about this result, with Google doubling the character length of their short URLs, while Microsoft stated that the vulnerability “does not currently warrant an MRSC case”, while quietly removing the short link function on OneDrive so not to expose others to the problem while they no doubt investigate.