For casual Internet users and social media addicts, URL shorteners are a tremendous convenience. Want to fit a long URL into a 140-character tweet? Want to quickly share files that are hosted on Dropbox or OneDrive?Not only can services like Bit.Ly allow for shortening a URL in a blink, many cloud hosting services such as OneDrive have shorteners baked right into their interface. As with many such tools, however, its apparent convenience hides startling vulnerabilities under the surface, threatening cloud security.
Here's the problem with shortened URLs: they're not secret. More accurately, they’re discoverable. Let’s say that you share a bit.ly link with one of your friends—this link, for example: http://bit.ly/1qFvqgA (Safe-T's white paper page, by the way). Each bit.ly link looks more or less the same, with a prefix followed by a seven-character string of random text.
Applying Password-Cracking Concepts
Taking a hackers approach to URL shorteners will tighten your grip on cloud security. If you’re familiar with information security, that character string—1qFvqgA—looks a lot like a decently constructed password. It’s not a great password, as it’s only seven characters long and contains no symbols. With a modified copy of hashcat and a few months’ worth of time on a stronger than average computer, you could independently generate a bit.ly link that would exactly match the link given above.
Actually, that’s not quite correct. You could generate every bit.ly link that’s currently in use.
In an eighteen-month study, researchers from Cornell Tech decided to crawl the link shorteners provided by Google Maps and OneDrive, using a random number generator. Using nearly 200 machines linked together, they were able to generate 100 million bit.ly links during that time period. Of the links that were generated, 1.3 million of them resolved into Microsoft OneDrive files, alongside hundreds of unlocked Google Drives. From the Google Maps data, they harvested over 20 million addresses linked to specific users.
This Research is Just the Tip of the Iceberg
Obviously, 100 million links don’t represent the entirety of bit.ly links in use. Eighteen months is also a long time to wait. Say you start thinking like a hacker, however. You can build a GPU-based password-password-cracking machine powerful enough to break every Windows password in under six hours—all for less than the price of a new car. If you’re government-sponsored, you might have something like the NSA data center on your side.
Let’s say that you turn that machine to generating bit.ly links instead.
- How long would it take before you actually did have every bit.ly link currently in use?
- Once you had those links, how hard would it be to automatically troll them for documents that might contain PII?
- After generating some Google Map links, how hard would it be to start planning some identity theft based on harvested address data?
Enterprises Must Strengthen Cloud Security
If you’re an enterprise, any data that your employees share via URL shorteners could be at risk. Here are the steps to solve this problem:
- Encrypt all data to which the links point to within your perimeter: Do this before the link is sent. Require the recipient of the link to authenticate in order to decrypt and access the actual data. That way, even if hackers do find a link to one of your documents, that data in it will be useless to them.
- Control where and how data can be shared: Certain documents just shouldn’t be allowed anywhere near a Dropbox, shared drive, or email attachment.
Safe-T’s Software-Defined Access gives organizations that control and ensures that the data stays out of the wrong hands. To find out more about Safe-T’s Software-Defined Access, please visit our new website.