Skip to main content

Shortened URLs could be susceptible to cyber attacks

Generating a shortened URL to share content may seem like a good idea, but it may also expose you to unnecessary security risks, a new research paper shows.

Titled Gone in Six Characters: Short URLs Considered Harmful for Cloud Services, it explains how short URLs can be used by malicious players to plant malware, copy personal files, and retrieve all sorts of personal information, like your home address, among other things.

URL shorteners, as their name suggest, are meant to bring long links, that can contain dozens of characters, usually down to just a few letters and numbers. That has some clear benefits: shortened URLs suit SMS messages and tweets better, look nicer in conversations, and allow services to track the number of clicks for a specific link, among other things. But the fact that they only contain a handful of characters makes them susceptible to brute-force search.

With standard links, it is extremely difficult to find lots of working combinations that can be exploited by malicious parties. If you have, say, three dozen characters in it, it would take lots of time to go through all the possible combinations, and try each and every one, to see where it may lead them. Well-designed services would probably block access to that account in such cases. Meanwhile, with a shortened URL that typically contains about five or six characters, usually letters and numbers, it is much easier to reach users' content. A small number of attempts would yield an actionable link.

As the researchers behind the report, Martin Georgiev and Vitaly Shmatikov, explain, "all online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone". A malicious person could use brute-force search to find valid links generated by link-shortening services to discover files stored on cloud services, even content that users did not generate shortened URLs for and, when write permissions are given, inject malware into them.

Georgie and Shmatikov analysed Microsoft's OneDrive in their research and found that seven per cent of the accounts that they have exposed using shortened URLs allow "anyone to write into them". A malicious person could upload malware to such an account, and it would get mirrored onto the user's PCs and other devices if they use a syncing app or program.

Users could end up with some nasty malware on their PCs and they would likely have no idea where it came from. Now imagine just how big of a risk this can be in corporate environments, where some nicely-hidden piece of malware could do some serious damage.

OneDrive is just one example though; other cloud storage services are also affected if users generate shortened URLs. But cloud storage services are not the only ones that malicious parties can target.

You can read the complete findings here. The paper goes into much, much more detail, including ways to make URL shorteners more secure. For one, the researchers recommend making shortened URLs longer, so there's a smaller chance of finding viable links. Services can also employ CAPTCHAs to differentiate real users from scanners. Users, meanwhile, are advised to avoid generating shortened URLs whenever possible.


It is worth pointing out that not all shortened URLs are a security risk. For instance, if you want to share a publicly-available webpage with someone, but you do not want to paste its full address, a shortened URL makes sense. Also, you may see shortened URLs on Twitter, where users, like us, are likely to share content that is not privacy-sensitive.

On the other hand, if you want to share a shortened URL with someone else to, for instance, show them photos of your newborn baby, it might be wise to find a different method. Same goes with sharing your home address with your friends.

Image source: Shutterstock/Archiwiz