As if to prove that nothing on the Internet is sacred, it turns out that even using URL shorteners can compromise your privacy and security.
Found by security researcher Shubham Shah and Christina Camilleri and published on Tuesday on Shah’s blog, link shorteners like Bitly, almost by their very nature, come with a catch. By definition, when a service shortens a URL, the result is going to be something with relatively few characters. So if a hacker—and not necessarily a very advanced one—wants to see all the links that have ever been shortened from a given domain name, it’s as simple as running a script to “brute force” guesses, meaning the script simply checks each possible address to see if it’s possible.
“I was able to yield interesting reports within three-to-five minutes of bruteforcing URLs. It kind of gave everyone a bigger hint of what is lying around there via corporate URL shorteners,” Shah told the Daily Dot.
And why does it matter if strangers find a company’s random, working URLs? Shah says that his short test—on a major corporate website, which we won’t name, at Shah’s request—already found stuff that the company clearly wouldn’t want found, like internal corporate URLs and Google Docs forms meant just for employees.
So be careful shortening a sensitive URL. If someone’s nosy enough, they might learn it exists.