back to article URL shorteners reveal your trip to strip club, dash to disease clinic – research

Cornell Tech researchers Vitaly Shmatikov and Martin Georgiev claim web URL shorteners are built on predictable syntax that can be searched and identified in a potential breach of privacy. The academics studied URL shorteners – including those created by Google, Bit.ly and Microsoft – finding that attackers could find private …

  1. Anonymous Coward
    Anonymous Coward

    Beware Pron ahead

    and other nasties.

    I did click on a bit.ly shortened url once. Opps... Not a nice place to end up.

    So I bypass any links that are shortened. Much safer in the long run.

    Just my 2p worth. YMMV though but at your own peril/risk/jail term be it.

    1. I ain't Spartacus Gold badge

      Re: Beware Pron ahead

      Exactly. I think URL shorteners are fundamentally insecure for exactly the opposite reason. You don't know where they go to, and you can't go to say bit.ly's website put one in, and find out. And it ain't safe out here on the internet, I like to have my eyes open when I go somewhere.

      I've seen too much - having been a forum Mod a few years ago, for my sins. Mostly it was just 2 Girls 1 Cup and Rick-rolling. But you never know...

      1. Annihilator

        Re: Beware Pron ahead

        "You don't know where they go to, and you can't go to say bit.ly's website put one in, and find out"

        You really can. Put a + symbol at the end of the URL and see.

        http://bit.ly/1WvyY1j links to the Reg story we're commenting on.

        http://bit.ly/1WvyY1j+ shows you the details of the link.

        What would be more helpful is if all the URL shorteners were consistent with that approach though. They usually have different mechanisms.

        1. TeeCee Gold badge
          Meh

          Re: Beware Pron ahead

          That doesn't help at all.

          I wouldn't click on anything ending in ".ly" anyway, regardless of what it said it was going to do.

      2. Michael Wojcik Silver badge

        Re: Beware Pron ahead

        I think URL shorteners are fundamentally insecure for exactly the opposite reason. You don't know where they go to

        You don't really know where unshortened URLs are going to end up either. Too many IRI tricks, compromised sites, unprotected forwards and redirects...

        But URL shorteners do remove information that is often useful even if it's not trustworthy. Clearly the cost to an attacker of using a shortener is less than the cost of using most other URL-disguising techniques, because shorteners aren't a scarce resource and they're trivial to use (manually or automatically).

        I think it took a long time to get a study like this because security experts took one look at shorteners and said, oh yes, that's clearly a terrible idea; and so few people bothered to look further at other ways in which it's a terrible idea.

        The blog post is well worth reading, by the way. Microsoft and Google have fixed some of the more blatant issues, but the underlying problems remain. (Note, for example, that while one of their OneDrive attacks has been blocked by Microsoft, it continues to work for older OneDrive URLs. So some MS developer decided to slap a band-aid on the problem without fixing the underlying issue.)

    2. Mage Silver badge
      Devil

      Re: Beware Pron ahead

      It's Twitter's fault.

      The privacy issue isn't important. Short URLs are irrelevant to that. The issue is similar to stupid phones that go to URL in a QR code without showing destination FIRST.

      All short URLs are evil because you can't know what domain / website it goes to before you click. An intermediate page with simply the real link would maybe make short URLS acceptable.

      ANYTHING that "sees" QR codes ought to prompt and not automatically "execute" them. Does QR use short URLS making that idea useless?

      1. I ain't Spartacus Gold badge

        Re: Beware Pron ahead

        Both the QR code reader apps I've used showed you the link first. Or I'd have deleted them instantly. So sane ones do exist.

    3. Sebastian A

      Re: Beware Pron ahead

      I used to use longurl.org to expand shortened URLs back to full so I could see referral codes or other bollocks before clicking them, but as of a few days ago that seems to have disappeared. :/

  2. Anonymous Coward
    Anonymous Coward

    "The actual, long URLs are thus effectively public"

    Well duh.

    Anyone who publishes something on the Internet, but relies on keeping the URL secret as the sole mechanism for protecting that content, deserves what they get.

    URLs are not intended as access control mechanisms.

    1. SecretSonOfHG

      Re: "The actual, long URLs are thus effectively public"

      "URLs are not intended as access control mechanisms."

      Exactly. Another great example of why "security by obscurity" does not work.

      1. Lusty

        Re: "The actual, long URLs are thus effectively public"

        I was thinking this. All urls in use are subject to the same brute force attack. In fact, if you do brute force on full urls you'd actually gain access to a significantly larger set of information than just brute forcing short urls!

        1. Tom Sparrow

          Re: "The actual, long URLs are thus effectively public"

          @Lusty - but I think the point is with a predictable sequence of short urls on a known domain, the brute force enumeration is a realistic option. Enumerating all possible URLs on even one domain is not practical, let alone the whole internet.

          1. Lusty

            Re: "The actual, long URLs are thus effectively public"

            I'd have thought it perfectly feasible given a structured approach. There aren't all that many combinations if you assume a certain character set. Getting caught by a security system would be the only difference, but given both methods use brute force both will get stopped if a check exists.

      2. Anonymous Coward
        Anonymous Coward

        Re: "The actual, long URLs are thus effectively public"

        >"URLs are not intended as access control mechanisms."

        >

        >Exactly. Another great example of why "security by obscurity" does not work.

        Quite - I remember one porn/chat site that used to 'secure' its premium rate galleries and video collections by coding the URLs with time and date stamps. Then they only went and put the time and date of each image/video on the publicly accessible thumbnail page so you had all the information to build the URL.

        Then they took away the time-stamps (but left the date-stamps visible) - but there were only 1440 possible time-stamps in a day (HHMM) and if you knew a model's schedule (ahem, which was also on the public part of the site!) you could narrow that down and very quickly brute-force all the content!

        An example of 'not much security by not much obscurity'.

        That was about 10 years ago, I think (I'd hope) they've upgraded things since!

        A/C obviously!

      3. ratfox
        Boffin

        Re: "The actual, long URLs are thus effectively public"

        Well…

        If the URL contains a string of 64 case-sensitive letters, you have over 10^109 combinations. Assuming 8 billions of people are each storing one million documents on the service, it means less than one in 10^93 URLs is valid. Assuming you try one billion URLs a second, it would take over 10^77 years to have a fifty-fifty chance of finding a valid URL. For a random document, mind you, not anything particular that you could actively look for.

        I find it's pretty good security, actually. When you think of it, cryptography is also "security by obscurity" — in the sense that you "only" have to guess the private key, and you can decrypt the message.

        1. JeffyPoooh
          Pint

          Re: "The actual, long URLs are thus effectively public"

          ratfox "...it would take over 10^77 years..."

          10^77 years? WOW. AN AMAZING COINCIDENCE !!! That's EXACTLY how long it'll take to break into the famous iPhone 5C held by the FBI. The one that was cracked a week or two ago...

          Jeffy's 10^77 Year IT Security Rule:

          All IT Security schemes require exactly 10^77 years to crack, or about five weeks (whichever comes first).

    2. e^iπ+1=0

      Re: "The actual, long URLs are thus effectively public"

      "URLs are not intended as access control mechanisms."

      Wasn't that one of the problems with kiddle?

      http://m.theregister.co.uk/2016/04/11/kiddle/

      Anyway, making a bit.ly link to your stuff takes it off the dark web just like that.

    3. Michael Wojcik Silver badge

      Re: "The actual, long URLs are thus effectively public"

      Anyone who publishes something on the Internet, but relies on keeping the URL secret as the sole mechanism for protecting that content, deserves what they get.

      You might as well claim that users who aren't security experts deserve to be exploited. Blaming the victim doesn't help anyone. It certainly doesn't improve security.

      But, hey, you have 32 upvoters who also are more concerned with mocking people than fixing problems. So you're in ample, if not good, company.

  3. Anonymous Coward
    Anonymous Coward

    "anyone with a little patience and a few machines at her disposal."

    Spelled "their" wrong.

    1. Crazy Operations Guy

      I fully agree with your sentiment, and use their as much as I can, but 'their' is a plural pronoun, but a singular pronoun is needed, so using 'her' is the correct syntax, but English is missing a gender-neutral singular pronoun so writers must use 'his','her', 'his/her', or risk sounding like a serial killer and use 'its'.

      1. Richard 12 Silver badge

        One begs to differ

      2. Lusty

        "English is missing a gender-neutral singular pronoun"

        It isn't. Their is the correct word where gender is unknown, always has been. Using his or her where you don't know the gender or are talking about a generalised person is incorrect. Much of the population lacks the education to use it, but it's correct and is in all the English dictionaries in England. US English may differ as it was purposefully dumbed down.

        1. Michael Wojcik Silver badge

          Their is the correct word where gender is unknown, always has been.

          You're both wrong.

          Singular "they" only dates back to Middle English, as far as anyone's been able to substantiate. So "always has been" is incorrect. And it probably has never been universally accepted; there's some crank in every generation to make a shibboleth out of nearly any English construction.

          More importantly, all prescriptivists are wrong about English. There's no such thing as a "correct word" in English, as the language lacks any widely-accepted authority on usage. English is as it is spoken and written, as long as it's comprehensible to a suitably large audience that understands it as English.

          US English may differ as it was purposefully dumbed down.

          And this claim is so mind-bogglingly stupid there's no rescuing it, I'm afraid.

          1. Lusty

            Are you saying that Webster didn't simplify words when writing his first US English dictionary to reduce complexity? History would tend to suggest otherwise, and you seem to like history.

    2. william flipflops

      adverb

      wrongly

  4. clocKwize

    The whole premise that short urls are based on is in the name. They shorten urls to smaller ones. Whoever put pre-authenticated urls in to a short form should be shot. Its not the problem of the short url.

  5. Frank Bitterlich
    Holmes

    Let me see if I get this right...

    So,

    1. some people publish unsecured content,

    2. use an URL shortener on the URL, and

    3. believe that this protects the content they published.

    Could somebody remind me again why these "researchers" think that the actual vulnerability is in the URL shortener? Just because they fail to keep the long URL "secret"?

    Sure, go ahead and encourage stupid internet users to stick the blame on others when they're too dumb to protect their content because they have no clue about the hosting service they're using.

    "We have to put our stuff on the internet." -- "Why?" -- "Don't know, the article didn't say that."

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me see if I get this right...

      "1. some people publish unsecured content,

      2. use an URL shortener on the URL, and

      3. believe that this protects the content they published."

      Not quite.

      1. some people publish unsecured content, with a really long URL which would not be susceptible to brute force attack of just guessing lots each of the characters

      2. use an URL shortener on the URL, and therefore made this 'unguessable' link much more easy to guess because it's really short now

      3. believe that this protects the content they published, which was the case for the original URL, but far less so now its so short and easier to guess.

      Neither have security once you have the URL itself, but getting that 'secret' URL is a easier when it's made up of a low number of limited characters.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me see if I get this right...

        > some people publish unsecured content, with a really long URL which would not be susceptible to brute force attack of just guessing lots each of the characters

        It is likely to leak sooner or later.

        * Your own browser may pass it in a "Referer:" header to other sites when navigating away

        * Directory listings may be provided

        * Search engines may find it ("robots.txt" is not a security feature; it's just a hint)

        * The user may send it in an E-mail, which ends up in various mail servers, backup tapes etc.

  6. Chris Miller

    Microsoft, whose OneDrive also has an embedded shortener

    Not any more - it seems to have disappeared.

    1. TRT Silver badge

      Re: Microsoft, whose OneDrive also has an embedded shortener

      OneDrive? Good.

  7. Permidion
    WTF?

    securly publicly published

    I fear I still fail to understand the idea of "securely publicly published" urls.

    if the url is publicly published, as in anyone can see it, the fact the url is shortened or not is completely meaningless.

    so, shouldnt the problem be that these urls have been publicly published in the first place?

    or is it the idea that the url contains some authenticating token that may be extracted by brutforcing the shortened urls to be then able to access other content stored a the same place ? but then you are stupid if your token give read AND write and not read only .........

    1. Michael Wojcik Silver badge

      Re: securly publicly published

      so, shouldnt the problem be that these urls have been publicly published in the first place?

      No, that's not the issue at all. If you didn't understand the article, try reading the original paper, or this helpful blog post.

      The problem is that short URLs can be guessed. (That is, they can be scanned by brute force, and for some services, they leak additional information which can be used to improve on brute forcing.) They don't have to be published at all.

  8. JeffyPoooh
    Pint

    Tom Scott recently did a video on a similar topic

    https://www.youtube.com/watch?v=gocwRvLhDf8

    He explained how YouTube's 11 characters of 64-space each helps to ensure against the brevity vs. brute force issue.

    Same thing. 11 good. 6 not good enough.

    Then again, security through obscurity is useless anyway.

  9. MR J

    I got banned from a MMORPG after one of the players tried scamming me...

    He used a URL shortening service to post "proof" of what he had.. Thing is that he used the same account on that service for his primary game account, scamming account, and his University account!.. So all of his coursework and thesis papers were published against his personal stuff. Cyber Security major who was nearing the end.

    I have also seen business use these services to link content that they are not wanting to publish on their website yet, but want it to be on their servers.

    While neither are directly related to the research, it shows to me that not enough thought goes into these services at all from either end. Having 10 or 20 characters in a shortened reference wouldn't be good... The idea of making it "Short" is so it is not that long. I think it was a solution chasing a problem that would fit. The only upshot I guess is that you can collect stat data from a click through.

  10. TeeCee Gold badge
    WTF?

    Hang on.....

    I don't ever recall shortening services being touted as a "security feature", only as a method for posting links for others without falling foul of some appallingly badly written forum's or email client's line wrapping.

    I guess that if you start using something for a purpose that was not intended, you do tend to find that it isn't very good at it. I'm afraid that obfuscation has never been, is not and never will be a substitute for security.

    Next week: Sports scientists conclude that waffle irons are not effective as tennis racquets.

    1. Michael Wojcik Silver badge

      Re: Hang on.....

      Sigh.

      Expecting users to understand which features improve security and which reduce it is a fool's game. It may inflate your ego, but it does nothing to address the problem.

      More importantly, some of the issues revealed by this study have nothing to do with a user's belief that URL-shortening was a security mechanism. With OneDrive, for example, a short URL to a non-sensitive document could be escalated into access to sensitive ones, or write access to other "folders". (Microsoft has since sort-of patched this hole.) RTFP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like