Hacker News new | comments | ask | show | jobs | submit login

I agree this could become a big issue - but I wouldn't consider it a "security vulnerability" per se.

URLs aren't secure, and shouldn't really be considered so.

I think it's less about the URL itself and more about the services which automatically generate them for content without the user being fully cognizant of what that implies/means. It has the potential to publicize information without the user's intent or knowledge; in the case of OneDrive from the article, it exposed documents with sensitive information when the URL itself wasn't even shared, it was just brute-forced. Prior to Google's changes to the URL shortening, it sounds like it was possible to get quite a bit of personal identifying information just by guessing at the shortened URL, even if the URL itself was never shared.

Even if URL shortening is a feature that users are aware exists, the consequences of it certainly aren't immediately clear, and to my knowledge, not many of these services include a way to disable the generation of a shortened link or have a means to prevent this type of scanning from happening.

There is a lot of content from "cloud" apps that has "private link" sharing functionality, where "only someone with this link can view the <object>".

No, it really isn't security. But yes, it really does happen, and probably a lot more than you'd think.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact