Researches testing the boundaries of privacy in short URLs have cracked them, allowing for potential spying.
You probably use short URLs in your every day life: on Twitter, in emails, maybe on your blog. They are both convenient and, we once thought, secure. But researchers have managed to crack the miniature web addresses, and it turns out they may have never been the safe bet we assumed.
Short URLs and Dedicated Hackers
Tools like Google’s web address shortener, TinyURL work by generating a random redirect between the web address and the destination. It makes sharing simpler and cleaner, and is great for social media posts.
But Cornell University researchers have found that these addresses can be “brute forced” into originating their source. It isn’t so much a matter of skill as it is time.
Constant guessing using a program will run through millions of potential combinations that make up short URLs. Within those random guesses will eventually lie a real page. From there, the user can follow it to the source page.
That might seem harmless enough at first glance. But that information could give them all they need to hide plenty of malicious code, malware, and page redirects in the mix. Essentially, they would be catching users mid-transfer. Or they could gather information via third party sources (think Google Maps data searches, for example).
An enterprising hacker, and one who steals data for a living, could come up with plenty of uses for this vulnerability. In fact, they may have already. These links, some of which may have held sensitive data, may have been potentially public through this simple, if extensive, method of cracking.
The Creepy Potential of Short URL Hacks
A very disturbing method of using this information was given as an example. The researchers found a random link from Google Maps. Through the original source they traced back both the beginning and end point of the trip. On one end you have a Planned Parenthood clinic. On the other you had the address of the young woman who had searched for and then shared it. All of which was confirmed.
Imagine you are a domestic abuse victim escaping their abuser. You do a Google Maps search for a shelter, send that link through a short URL to a family member, and flee. The fact that even after deleting history that information is still potentially out there and available, in spite of the likelihood of that person finding it, is still upsetting.
Source: Wired