Hacker News new | comments | ask | show | jobs | submit login

Honestly this title feels a bit like FUD. Sure restricting the space of possible URLs decreases the difficulty of brute forcing urls, but honestly if you don't want something publicly accessible put it behind a auth wall.



Yes, the title does. But let's take a look at the actual content:

OneDrive generates short URLs for documents and folders using [..] the same tokens as bit.ly. [..] In our sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens [..] 19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live. [..] From the URL to a single shared document (“seed”), one can construct the root URL [from which] it is easy to automatically discover URLs of other shared files and folders in the account

In other words, the links provided by these shorteners contain authorization information. And:

Around 7% of the OneDrive folders discovered in this fashion allow writing.

And in the case of Google Maps:

goo.gl/maps URLs used 5-character tokens. Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions. These include directions to and from many sensitive locations: clinics for specific diseases (including cancer and mental diseases), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, gentlemen’s clubs, etc. The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions


Thanks. This was a good summary of the problem.

Do Google et al not have any kind of rate limiting which looks at suspicious behaviour like scanning lots of short URLs?


Did you read the article? At the bottom it said that they have both increased the key size to 11 or 12 characters and deployed methods for preventing the brute forcing of these URL's. I think that it's safe to assume that one of these methods is rate limiting.


Thanks. I asked specifically about rate limiting as the article didn't specifically mention it.


In other news, some people use password as their password and 123 456 as the combination to their briefcase!


The difference is when those tokens are autogenerated for the user and the user may not even know about it, let alone know about the risk.

A better analogy would be when routers ship with a default world-viewable admin UI and admin as its password.


Agreed (to an extent). The real problem with URL shorteners is their longevity. Some routinely delete old URLs and all will most certainly be gone within the next decades.


I agree that's a problem, but it's not really relevant to the article.


Also everyone should be smart enough to realize a public short URL isn't security. There are public one time password sites that provide a far more secure way to share a file quickly IMHO.


Is your grandmother "smart" enough to realize this?

I think your expectations about the "smartness" of the public are not justified. It's not actually about smartness; it's about information theory. Not everybody is as up to date as you are.


This question is a red herring IMO. Are grandmothers sharing secret information via 5 character encoded URL shorteners? Maybe so or maybe the typical person who would use a public URL shortener to share secret documents isn't a clueless grandma.


Is it the age, gender, or reproductive status of grandmothers that make them less intelligent or less 'up to date' than other people?


Like I said in the second sentence of my post, it's not about intelligence, it's about knowledge: specifically, knowledge of information theory. Grandmothers, as a general rule, are less likely to know about Shannon entropy than the population of HN readers and their milieu (hackers, it's in the name of the site).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: