Article Lead Image

Kalamazoo Library / flickr (CC BY 2.0) | Remix by Max Fleishman

Even using link shorteners like Bitly can compromise your security

A short URL brute-force attack can yield private info.


Kevin Collier


Posted on Sep 24, 2015   Updated on May 27, 2021, 10:15 pm CDT

As if to prove that nothing on the Internet is sacred, it turns out that even using URL shorteners can compromise your privacy and security.

Found by security researcher Shubham Shah and Christina Camilleri and published on Tuesday on Shah’s blog, link shorteners like Bitly, almost by their very nature, come with a catch. By definition, when a service shortens a URL, the result is going to be something with relatively few characters. So if a hacker—and not necessarily a very advanced one—wants to see all the links that have ever been shortened from a given domain name, it’s as simple as running a script to “brute force” guesses, meaning the script simply checks each possible address to see if it’s possible.

“I was able to yield interesting reports within three-to-five minutes of bruteforcing URLs. It kind of gave everyone a bigger hint of what is lying around there via corporate URL shorteners,” Shah told the Daily Dot.

And why does it matter if strangers find a company’s random, working URLs? Shah says that his short test—on a major corporate website, which we won’t name, at Shah’s request—already found stuff that the company clearly wouldn’t want found, like internal corporate URLs and Google Docs forms meant just for employees.

So be careful shortening a sensitive URL. If someone’s nosy enough, they might learn it exists.

H/T Softpedia | Photo via Kalamazoo Library/Flickr (CC BY 2.0) | Remix by Max Fleishman

Share this article
*First Published: Sep 24, 2015, 7:53 pm CDT