Leave a comment

Security alert: A brand new way hackers can see your precious photos and steal your private files

Security alert: A brand new way hackers can see your precious photos and steal your private files

Independent researcher Martin Georgiev, and Cornell University professor Vitaly Shmatikov, published a paper yesterday called "Gone in Six Seconds: Short URLs Considered Harmful for Cloud Services." In this paper they describe weaknesses in services such as bit.ly and goo.gl.

These services take long Web addresses and make them short for easier sharing on character-limited sites like Twitter or in text messages. Instead of a 60-character address, you might have a 10- or 12-character address. That's handy, but it does create a vulnerability.

According to the researchers, the space of 5- and 6-character shortened URLs are so small that they can easily be scanned by using a brute-force search, therefore making privately shared content public. In other words, you might share the link of a personal picture in Dropbox with a friend using a shortened URL.

In theory, only the friend should have the link. However, hackers can try random shortened URLs until they find ones that link to interesting information, including the picture you shared.

Even worse, up to 7% of Microsoft's OneDrive accounts that use short-URL enumeration allow hackers to write arbitrary content to them, a flaw that could be exploited for large-scale malware injection. But wait, there's more.

Once a hacker discovers the short URL for a file in a OneDrive account, they can access all other folders and files in the account. Yes, even the ones not reached directly by a short URL.

Next page: OneDrive isn't the only service at risk
What color are these hearts? This amazing optical illusion's got the world stumped
Previous Happening Now

What color are these hearts? This amazing optical illusion's got the world stumped

Not what the doctor ordered: Major breach at medical facility exposed patients nationwide
Next Happening Now

Not what the doctor ordered: Major breach at medical facility exposed patients nationwide

View Comments ()