URL shorteners could offer shortcut to malware infection, study claims
April 15, 2016
Shah Sheikh (1294 articles)

URL shorteners could offer shortcut to malware infection, study claims

While it might make a particularly long URL look tidier, cloud services that use URL shorteners with only six characters could leave themselves vulnerable to malware attacks using brute force.

Typically, these cloud services use URL shorteners as a means of being able to share access to shared folders across the web in the same way someone might want to use it to share a link on character-sensitive platforms, but there could be consequences for both the user and host of the cloud service.

According to Boing Boing, a new research paper posted online states that, with the typical shortened URL containing just six characters, a brute force attack instigated by a hacker could, by the process of elimination, locate the URL, which would allow the hacker access to all of the shared folders.

Essentially, while a shortened URL might have been intended as a means of sharing a cloud folder with a select number of collaborators, a brute force attack could make it vulnerable to pretty much anyone.

Online maps also vulnerable

In the researchers’ example, they looked at cloud storage using Microsoft OneDrive and, by using brute force attacks against it, were able to expose 7pc of those using short URLs.

Given the very nature of the cloud, the same danger can be applied to services that automatically sync up with your other devices, such as a phone or tablet.

The researchers go on to show that the same vulnerability could also prove harmful to users of online maps.

As services like Google Maps allow people to send directions to one another using shortened URLs, the same vulnerability could be applied to access these locations.

As the paper’s abstract explains: “For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy.”

Source | SiliconRepublic