Following on from yesterday’s post so, yes, this one is about being caught short in public. Security researchers have recently discovered a rather significant glitch with the whole concept of URL shorteners, which is laid out in Georgiev and Shmatikov (2016).
In a nutshell, it is the result of the fact that short URLs are, as the name suggests, quite short. They might still be a mouthful to read out and have many more combinations than, say, four digit bank card PINs but the total number of possibilities is much smaller than that of long, unfettered URLs. You wouldn’t want to sit there guessing them but, imagine you had a machine capable of being set to work through simple, repetitive tasks very quickly. A machine somewhat like… a computer!
If your short URL points to a public resource, like one of the posts on this blog, there is no problem. If it points to a private address where a login is required, you are likewise safe. The issue is links where, for convenience, the access key is included in the address. For example, you can share a document on Google Drive or Dropbox so that it remains ‘private’ but accessible to anyone with the link. Normally those links are complex enough that it would take an unfeasible amount of time for even a fast computer to guess but shorten it down and, c’est viola!
So don’t be afraid to shorten your URLs unless you are making a private address easily guessable.
Georgiev, M. and Shmatikov, V. (2016) ‘Gone in Six Characters: Short URLs Considered Harmful for Cloud Services’, arXiv preprint, [online] Available from: http://arxiv.org/abs/1604.02734.