Modern cloud services are designed to encourage and support collaboration. To help users share links to online documents, maps, etc., several services, including cloud storage providers such as Microsoft OneDrive and mapping services such as Google Maps, directly integrate URL shorteners that convert long, unwieldy URLs into short URLs, consisting of a domain such as 1drv.ms or goo.gl and a short token. In this paper, we demonstrate that the space of 5- and 6-character tokens included in short URLs is so small that it can be scanned using brute-force search. Therefore, all online resources that were intended to be shared with a few trusted friends or collaborators are effectively public and can be accessed by anyone. This leads to serious security and privacy vulnerabilities. In the case of cloud storage, we focus on Microsoft OneDrive. We show how to use short-URL enumeration to discover and read shared content stored in the OneDrive cloud, including even files for which the user did not generate a short URL. 7% of the OneDrive accounts exposed in this fashion allow anyone to write into them. Since cloud-stored files are automatically copied into users' personal computers and devices, this is a vector for large-scale, automated malware injection. In the case of online maps, we show how short-URL enumeration reveals the directions that users shared with each other. For many individual users, this enables inference of their residential addresses, true identities, and extremely sensitive locations they visited that, if publicly revealed, would violate medical and financial privacy.

翻译：现代云服务旨在鼓励和支持合作。 为了帮助用户共享在线文件、地图等链接, 包括微软 OneDrive 等云端存储供应商以及Google Maps等映像服务等云层存储服务, 直接整合由 1drv.ms 或 goo. gl 等域组成的将长、 模糊的 URL 直接转换成短的 URL URL 。 在本文中, 我们显示, 包含 5 - 和 6 字符的标本空间太小, 以至于可以使用布鲁特力搜索进行扫描。 因此, 所有原本打算与几个信任的朋友或合作者共享的云存储器, 包括 Microsoft OneDrive 等云层存储器的空闲空间。 因此, 所有在线资源都是有效的公开共享的, 并且任何人都可以访问。 这导致安全和隐私的脆弱性。 在云层存储时, 我们如何使用 快速的光标点来发现并阅读 One- URive 云端的共享地址, 包括许多用户不会创建简短的 URL URL 。