The trend of using shortened URLs offers a new opportunity for hackers to invade users' privacy, as a computer can be programmed to generate random strings of characters and try out each one as a Web address until it gets a hit, according to Cornell Tech researchers.
They say this could be a major problem for cloud-based file storage services that use URL shortening for links to users' documents.
As a demonstration, the researchers generated and tested more than 42 million six-character short URLs and found 2,130 led to files on OneDrive. From the addresses, the researchers were able to find all other files belonging to the same user.
The researchers suggest making the URLs slightly longer, which would force intruders to spend a lot more time and effort. For example, with a 10-character string, it would be 15 million times harder to find a working link than it is with six-character URLs, according to the researchers.
In addition, cloud storage services should warn users about the dangers of using shortened URLs, and these services should generate their own short URLs, instead of relying on services that have publicly accessible databases.
The researchers also say cloud storage providers should change their systems so it is no longer possible for an intruder to go from one discovered file to all of the other files belonging to the same account.
From Cornell Chronicle
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA