Pixel Envy

Written by Nick Heer.

Researchers Brute-Force Shortened Links

Andy Greenberg, Wired:

The researchers’ work demonstrates the unexpected privacy-invasive potential of “brute-forcing” shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.

In aggregate, pseudo-randomized data of any kind poses a risk if brute-force attempts are not regulated.

Around ten years ago, a bunch of URL-shortening and image hosting services sprang up — one called “idzr”, another was called “kttns”.1 These services were created in response to Twitter’s character limitations and a lack of decent image hosting at the time, and eventually beget entire companies like Droplr and CloudApp.

At the time, there was also a strong jailbreaking and customization culture for OS X, iOS, and Windows. Entire forums like Aqua Soft and Macristocracy centred around the ways in which users would tweak their home screens or modify OS X’s appearance. Many of you were probably members.

I distinctly recall someone in the #MacThemes IRC channel one day making a site that crawled a couple of these URL shortening services and displayed everything hosted on them. There was nothing particularly sensitive, as best as I can recall; occasionally, there were privately-shared icons and desktop pictures.

At any rate, the owners of the services in question quickly modified their code so that short links couldn’t be brute-forced or automatically crawled, and measures were put in place to limit access rates on any particular link.

This stuff was solved years ago on services built by a single developer. This shouldn’t be an issue at large companies like Google and Microsoft.


  1. The original, as far as I’m concerned, dznr, allowed accounts by invitation only. It was shut down in 2013. ↩︎