Take care before you share

By on
Take care before you share

How to prevent the potential privacy and security issues caused by passing on or following web links.

Every so often you come across a web page that you want to share with someone. Putting aside cat videos and the like, you might see read an article in BIT or some other site that you think would benefit one of your business contacts or employees.

Most writers and publishers love you doing that – the bigger the audience, the better. But you might be sharing more than you intended.

Don’t use URLs with tracking information

If you copy and paste a URL from a publication's newsletter (or, for that matter, an email sent by a company), it most likely includes tracking information, perhaps along the lines of http://click.email.example.com/?qs=7fa1fc8b37f9300922365256358ab5000848a41023644707fff (but with a real domain in place of example.com).

Don't pass that on to someone else. Instead, copy the URL that appears in your browser when you're viewing the page in question. That might look something like http://www.example.com/section/this-is-a-headline?eid=email:nnn-99ooo999-member:xxx-05%2F05%2F9999-fluffflufffluff&campaign_code=00XYZ&promote_channel=email&mbnr=AbcdEFg.

But don't sent that to anyone, either! The portion of the URL following the question mark is used largely for tracking purposes, so truncate it to http://www.example.com/section/this-is-a-headline.

Check that works – it usually will – and then forward it to your colleague.

Why go to this much trouble? If your colleague follows a URL with tracking information, and he then clicks on a link on that page, his activity will then be tracked, blending with your tracking information.  As a result, you may be bombarded with ads that aren't of any interest to you and could be potentially embarrassing.

Note that as a general rule, it is not good practice to click on links in emails unless you are sure the sender is who you think it is, and that they are trustworthy. Even then, get into the habit of 'hovering' over the link and check that it is taking you where you think it is.

Beware URL shorteners

The other issues concern URL shorteners – services such as bit.ly and tinyurl.com that generate a short URL that forwards to a much longer one. For example, http://bit.ly/1QjrS8G and http://tinyurl.com/zbo6nbw both lead to http://www.bit.com.au/News/417442,another-reason-to-avoid-found-thumb-drives.aspx .

Shortened URLs are useful in situations where people need to write down a URL (such as from your presentation or a real-world advertisement), or where the number of characters available is severely limited, which is why Twitter automatically shortens long URLs if necessary.

The problem is that the recipient can't see where the URL is taking them, so they are implicitly trusting the sender. Why is that a problem? Let's just say that it could be a web page that you wouldn't choose to visit.

Tinyurl.com does have a feature that displays the destination URL before taking the recipient there, but that involves either a special form of the URL (eg, http://preview.tinyurl.com/zbo6nbw  instead of http://tinyurl.com/zbo6nbw), or visiting http://tinyurl.com/preview.php and letting it set a cookie that tells the service to preview the URL by default.

So that's why you want to treat other people's short URLs with caution. But be aware than if you shorten the wrong URLs you might be revealing more information than you thought.

OneDrive files revealed

A study by independent security researcher Martin Georgiev and Cornell Tech professor Vitaly Shmatikov found that files stored in Microsoft's OneDrive could be discovered by starting with a randomly-generated 1drv.ms (Microsoft's URL shortener for OneDrive that is actually operated by bit.ly) URL.

The trick was that the expanded URL included the cid and authkey parameters (roughly equivalent to a username and password), which could be used to generate the root URL for that OneDrive account, and from there all the other files and folders could be discovered.

It would even be possible to drop a piece of malware into a OneDrive folder, which would then be automatically synchronised with all of the user's devices. (Microsoft has subsequently made changes that either prevented exploitation or at least made it more difficult).

Mapping personal details

Georgiev and Shmatikov also discovered that that goo.gl/maps shortened URLs generated before September 2015 only used five characters, and of those randomly scanned 10 percent returned maps with driving directions. That doesn't sound too bad, but "the endpoints of driving directions shared via short URLs often contain enough information to uniquely identify the individuals who requested the directions. For instance, when analysing one such endpoint, we uncovered the address, full name, and age of a young woman who shared directions to a planned parenthood facility".

When they reported their findings to Google, the company responded by switching to 11 or 12 character tokens, which massively reduces the chance that a randomly selected token will correspond to an actual URL.

Even though both of these specific cases have been addressed by the companies concerned, who is to say that shortened URLs can't be misused in other situations?

So don't use a URL shortener in any situation where you're not happy for anyone in the world to see the content behind the original URL. And be cautious when someone directs you to a shortened URL, because it might not be what you expect.

Copyright © BIT (Business IT). All rights reserved.

Most Read Articles


What would you like to see more of on BiT?
How To's
Photo Galleries
View poll archive

Log In

  |  Forgot your password?