I’ve written about URL shorteners on this blog before. I’m not a fan. While I recognize that short URLs are great for branding and sharing, they’re also fragile and prone to link rot. A recent study from Martin Georgiev and Vitaly Shmatikov reveals yet another reason to be careful with short URLs, especially when they’re used as a quick and easy way to share information from web applications and the cloud. Short URLs can create security and privacy issues.
URL shorteners are simple in principle. They create a mapping between a long URL and a shortened version created by the service. A user enters the long URL, and the service then generates a short URL, stores the mapping between them in its database, and returns the short URL to the user. When the short URL is used, the service looks up the mapping in its database and forwards the user to the long URL.
The fragility here is obvious: if the URL shortening service is unavailable, the short link will not function. That’s bad enough for temporary availability problems, but link shortening services are vulnerable to the same pressures as other online services — the businesses behind them may decide they don’t want to maintain the service and then every short link simply stops working. It’s link rot on a massive scale.
The security issue caused by short URLs is a result of their shortness. Most short URLs are comprised of a root domain with a path made of a few letters and numbers.
The path is the problem. There simply aren’t all that many combinations of letters and numbers in a six character string. In fact, for six character strings comprised of all the letters and numbers, there are about 622 combinations. That’s a big number, to be sure, but it’s not so big that it’s impossible for a motivated attacker to generate all the combinations and try them out. It would take time and a few servers, but, as the researchers showed, it’s entirely possible to figure out a significant chunk of a service’s shortened URLs. If your web app generates short URLs with the hope that guessers will be confounded by the number of possible combinations, you might be exposing users to risk.
Of course, there are ways around the problem, including requiring users to be logged-in before loading pages, but, nevertheless, enumerating and visiting the link space for a URL shortener could present useful information to an attacker, especially if your application uses an easily guessed URL structure for its long URLs. In that case, if the attacker finds one working short URL, they’ll be able to work out other working URLs within the same account from the URL pattern.
Short URLs are a compelling tool for marketers and businesses that value their concision, but if your short URLs are too short, users’ content may not be safe.