{"id":14262,"date":"2016-04-25T13:43:36","date_gmt":"2016-04-25T17:43:36","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=14262"},"modified":"2016-04-25T13:43:36","modified_gmt":"2016-04-25T17:43:36","slug":"short-urls-considered-harmful-for-cloud-services","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2016\/04\/25\/short-urls-considered-harmful-for-cloud-services\/","title":{"rendered":"Short URLs Considered Harmful for Cloud Services"},"content":{"rendered":"

Vitaly Shmatikov<\/a> (via Bruce Schneier<\/a>):<\/p>\n

Short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force.  Our scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.  We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.<\/p><\/blockquote>\n\n

Nick Heer<\/a>:<\/p>\n

\n

At any rate, the owners of the services in question quickly modified their code so that short links couldn’t be brute-forced or automatically crawled, and measures were put in place to limit access rates on any particular link.<\/p>\n

This stuff was solved years<\/em> ago on services built by a single developer. This shouldn’t be an issue at large companies like Google and Microsoft.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"

Vitaly Shmatikov (via Bruce Schneier): Short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force.  Our scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[48,96],"class_list":["post-14262","post","type-post","status-publish","format-standard","hentry","category-technology","tag-security","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=14262"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14262\/revisions"}],"predecessor-version":[{"id":14263,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/14262\/revisions\/14263"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=14262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=14262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=14262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}