OneDrive generates short URLs for documents and folders using [..] the same tokens as bit.ly. [..] In our sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens [..] 19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live. [..] From the URL to a single shared document (“seed”), one can construct the root URL [from which] it is easy to automatically discover URLs of other shared files and folders in the account
In other words, the links provided by these shorteners contain authorization information. And:
Around 7% of the OneDrive folders discovered in this fashion allow writing.
And in the case of Google Maps:
goo.gl/maps URLs used 5-character tokens. Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions. These include directions to and from many sensitive locations: clinics for specific diseases (including cancer and mental diseases), addiction treatment centers, abortion providers, correctional and juvenile detention facilities, payday and car-title lenders, gentlemen’s clubs, etc. The endpoints of driving directions often contain enough information (e.g., addresses of single-family residences) to uniquely identify the individuals who requested the directions
Do Google et al not have any kind of rate limiting which looks at suspicious behaviour like scanning lots of short URLs?
A better analogy would be when routers ship with a default world-viewable admin UI and admin as its password.
I think your expectations about the "smartness" of the public are not justified. It's not actually about smartness; it's about information theory. Not everybody is as up to date as you are.