Popular URL shorteners, like bit.ly, could be exposing your personal information to others, according to a new study.
Man pinching url image from Shutterstock
A team of researchers at Cornell Tech analysed more than 200 million links that were generated by URL shortener bit.ly. They found that using the links they were actually able to gain access to all kinds of things going on in the content behind them, such as driving routes relating to Google Maps and private documents stored on Microsoft’sOneDrive.
But not only that, researchers believe that this information could be used to add new malware to OneDrive folders, which people would then later sync to their computer. Ouch.
In a blog post about the study, the leader of the research team Vitaly Shmatikov explains that the issue is with the fact URL shorteners unintentionally expose the original URL at the same time as generating a shorter one. So if you’re linking to something sensitive or something stored in cloud storage you need to think twice before shortening and sharing.
[Via Wired.co.uk, Freedom to Tinker Blog]
This article originally appeared on Lifehacker UK
Comments
5 responses to “Here’s Why You Should Think Twice Before Using URL Shorteners”
Another good example of “if you can’t figure out what the product is, it’s you.”
That’s assuming that only free services sell your information. Plenty of paid services do the same thing.
Ahh right, so if you’re expecting them to shorten a public link (which is what they claim to do), then you’re fine. If you expect them to obfuscate the original link (which is not what they claim to do), they don’t do a very good job of it.
Got it.
Also if there’s an identifying algorithm in the URL it’ll be brought across. For example, an Amazon item’s URL might be “http://www.amazon.com/Product-Name/dp/A##A##AAHH”. But if you copy and paste it from the URL bar it might come with a tag beginning “ref=” showing the referring URL, and maybe your account ID.
Google maps does something similar.
Good point – but you are still not taking on any extra risk by using a URL shortner than you are by sharing the original URL. ie. They are still perfectly safe and secure if you use them with the expectation that it shortens (but does not hide) your original URL.
I don’t think it’s a reasonable expectation that URL shortners hide your original URL, not only because they don’t claim to, but because bit.ly lands you at the page with a fully visible original URL in the address bar.
I think a more reasonable finding would have been “by analyzing the links published to bit.ly, researches have found that many people do not understand that sharing their google drive, onedrive or other cloud-service URL actually exposes their personal information”
What, you mean get a journalist, or pseudo-journalist, to use an accurate article headline? Perish the thought!