Shortened Links May Expose Your Personal Data
According to a new research, links which are shortened from the sites like bit.ly and goo.gl has revealed that how an attacker can gain access to your personal data from a cloud drive.
Shortened Links May Expose Your Personal Data
Shortened links services let you replace a long URL with multiple simple and short parameters. As a rule, short address begins with service address and unique token ends with a length of 5, 6 or 7 characters. Shortened links generated by the services like bit.ly, goo.gl have a special equipment through which you can cycle through all the short addresses and access to the important information on the Web. For example, to obtain a base of 6-character tokens service bit.ly will need about 100 million bit.ly URLs. According to the authors, using the appropriate botnet data can be obtained in just a day.
During the work, researchers have paid attention to the mapping services and cloud storage, such as Microsoft OneDrive and Google Maps. When you send links to folders, documents or map services offer users to generate short links. After analyzing 42,229,055 short bit.ly addresses, the authors found 3003 links that lead to documents and folders located in OneDrive storage. Most of them turned out to be valid.
Thus, if the shortened URL used to reference data from the cloud service, the outsider can get access to the information referred to had never been published in open access. As noted by the experts, according to the information from this link you can gain access to other files and folders of this account. As a result of the scan, researchers found more than 227 thousand URLs. OneDrive publicly available documents, including thousands of files in PDF, Word, spreadsheets, media, and so on. Vitaly Shmatikov and Martin Georgiev noted that the analysis used only the metadata, where the files are not downloaded.
According to the experts, about 7% of open folders in OneDrive can be edited by anyone. This gives attackers the ability to modify an existing or upload arbitrary content, including malicious software, which will automatically load the service on user’s devices. The researchers informed Microsoft about the problem. In March 2016, the company changed the algorithm for generating links, but old links remain operational and are still not protected.
Post a Comment