Shortened URLs help hackers spy on you

The next time you want to shorten a URL, you might think again as shorter URL length is known to help hackers spy on you. Besides stealing your private information, hackers could exploit tiny URLs to infect even cloud storage accounts with malware.

Researchers Martin Georgiev and Vitaly Shmatikov explain that any shortened links from Google, Microsoft, and bit.ly, are vulnerable to brute force hacking as they generate a web address with just six seemingly random characters.

Using trial and error method, the two researchers have ascertained that around 7% of the OneDrive and Google Drive accounts were vulnerable to brute-force attacks.

Shortened Google Maps URLs have also been found to be susceptible to such hacks as they contain routes between two locations including the users' home address and other places of interest.

Wired reports that the research duo tested 71 million OneDrive short URLs, out of which 24,000  were legitimate and let them access individual files and folders. The report adds that they could open the full-length URL using the tiny URLs, which could then be tweaked to access a bunch of folders belonging to the same user.

"If someone wanted to inject a lot of malicious content into people's computers, it's a pretty interesting way of doing it. By scanning you can find these folders, you put whatever you want in them, and it gets automatically copied to people's hard drives," Wired quoted Shmatikov.

Illustrating the height of potential threat with Google Maps' tiny URLs, the researchers have identified a young woman's full name, age, and residence address using the shared locations to a Planned Parenthood facility.

Google has reportedly increased the length of its URLs to 11 or 12 randomized characters after the researchers notified the company last September regarding the potential threat to Google's Maps and other products.

Reacting to the researchers' concerns, Microsoft has removed the URL shortening feature from OneDrive. However, the researchers have acknowledged that all the identified vulnerable links are still working.